Static Route help with my pix

I'm trying to create a new static route on my pix to a VLAN.  My current config is:

outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static

I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80

But I also noticed that the line inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static should probably have mask changed to 255.255.0.0

So my questions are:

1.  How do I change the subnet mask on my existing route?  I'm missing something, and don't have any resources avail to me.
2.  Is adding the second route as simple as : route inside 10.10.5.0 255.255.0.0 10.4.1.80 ?

Thx!
LVL 4
eggm4nAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
The routes you have up there are the default one, see the 'CONNECT' . So if you want to add another route to inside network, then it is as simple as adding;

route inside 10.10.5.0 255.255.0.0 10.4.1.8

Cheers,
Rajesh
0
eggm4nAuthor Commented:
Any ideas ewhat I'm doing wrong here?

PIX(config)# route inside 10.10.5.0 255.255.0.0 10.4.1.8
%Inconsistent address and maskWARNING: unable to add route to OSPF RIB
tPIX(config)#
0
eggm4nAuthor Commented:
Here is what I have now:  But I'm worried about the error listed above.

 outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
 inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
 inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
 outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jmandalaCommented:
The inconsistency comes from having an address that defines the third octet, and a subnet that leaves it open.

It probably should read:

route inside 10.10.5.0 255.255.255.0 10.4.1.8

OR

route inside 10.10.0.0 255.255.0.0 10.4.1.8

Depending on whether you're trying to route to a class C or class B subnet.
0
eggm4nAuthor Commented:
Yes I agree jmandala.  Can you answer my other question?  How do I change that route?  I can't determine how to edit it.  I'm pretty new to the PIX.
0
jmandalaCommented:
You would simply prefix any line you want to remove with the word "no."

no route inside 10.10.0.0 255.255.0.0 10.4.1.8


Then you'll just recreate it.

I must say, though, that if the routes above that you posted are correct, then it looks like the PIX already changed it to a class B.  If you need it to be Class C, you'll need to remove the existing route using the "no" prefix then recreate it like so:

route inside 10.10.5.0 255.255.255.0 10.4.1.8
0
eggm4nAuthor Commented:
OK good to know.  I think I have my route set up properly however, I still can't ping from a machine on my network.  

Here is my configuration right now:

local lan 10.4.1.0 255.255.252.0 gw 10.4.1.8
PIX:  10.4.1.8
VLAN: 10.10.5.0 255.255.255.0
Static route to vlan uses gw 10.4.1.80

I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.

I can ping it though is I set a route on the desktop itself in Windows.  So my PIX is blocking the traffic.  I'm looking here, and I think this is the cause, but not sure how to fix this.  Especially since this PIX also is my Internet FW.

outbound  10 deny 0.0.0.0 0.0.0.0 1-65535 udp
outbound  10 deny 0.0.0.0 0.0.0.0 1-65535 tcp
outbound  10 permit 0.0.0.0 0.0.0.0 1-65535 tcp
outbound  10 permit 0.0.0.0 0.0.0.0 1-65535 udp
apply (inside) 10 outgoing_src

So I need to set something specifc to 10.10.5.0/255.255.255.0 right?  Any advice on what I need to do?

Thx in advance.
0
jmandalaCommented:
Let me ask you this - if you put a static route on your PC, can you even hit the internet?

Also - can you ping something on 10.4.1.0 from the PIX?

Lastly - do you have any adapters on the PIX configured to the 10.10.5.0 VLAN, or is 10.4.1.80 another router (or firewall)?
0
eggm4nAuthor Commented:
Yes, I can still hit the internet with another route on my windows machine.  It's basically telling me to use GW of 10.4.1.80 instead of 10.4.1.8 for the 10.10.5.x ip space.

Yes I can ping everything form the PIX.

I do have adaptors but am not using them.  In this case 10.4.1.80 is a port on the new switch that has the VLAN set in it.
0
jmandalaCommented:
OK.  It looks like all ports are blocked for all IPs.  If you want to open ports for IPs, you will need to make them explicit.

outbound 10 permit 10.4.1.0 255.255.255.0 1-65535 tcp
outbound 10 permit 10.10.5.0 255.255.255.0 1-65535 tcp

This will allow all tcp traffic on all ports to all the defined addresses on those class C subnets.  If you need udp as well, then add similar lines ending in udp.  Not the most secure situation, necessarily, but the easiest.  You'd need lines for each allowed port otherwise.

Similarly, if you have a web server of address 10.4.1.50 and you wanted outbound traffic enabled, you'd add:

outbound 10 permit 10.4.1.50 255.255.255.255 80 tcp - if you didn't want to allow all outbound ports for all machines on those subnets.

You could enter the ICMP port to allow pinging, SMTP for email, etc.

0
lrmooreCommented:
Here's some information that may help your dilema.
 >- inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
How can you change the subnet mask on this connected route statement?
You cannot! This statement comes directly from the subnet mask assigned to the inside interface.
   ip address inside 10.4.1.8 255.254.0.0

>I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
>inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
Shouldn't this statement read
    inside 10.10.0.0 255.255.0.0 10.4.1.80 1 OTHER static
                                                        ^^

>I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
This proves that the routing from the PIX' perspective is correct and the above is a typo?

>I can ping it though is I set a route on the desktop itself in Windows.
Correct. Assuming that the PIX is your default gateway, this is the *only* way you can do what you wish. You must add a static route on each and every PC that needs to access the 10.10.5.x subnet, pointing them to the alternate route 10.4.1.80
This is expected behavior and a "feature" of the PIX firewall. It simply will not redirect a packet back out the same interface it came in on. Let's follow a packet:
 Client sends packet destined for host 10.10.5.15
 Client knows it is not on local LAN
 Client sends packet to default gateway (PIX)
 Packet hits PIX inside interface
 PIX knows that 10.10.5.15 is available through inside interface
 PIX does nothing.
 Packet dies.

If the gateway is a router, a router will send a redirect to the PC, saying essentially:
 I can't route that packet to the destination, but if you re-send it to 10.1.4.80, your packet will arrive safe and sound.
 Client then adds a temporary route statement based on information received from the icmp redirect packet:
   route add 10.10.5.15 mask 255.255.255.255 10.1.4.80

If the PC is rebooted, that route is gone and the process would start over, but it is relatively painless and works.

The crux of the matter is that the PIX simply does not send that icmp redirect packet back to the client PC. Client PC knows it sent the packet to its gateway and never gets a reply.

The only way a PIX will "route" is through its physical interfaces. The reason it needs to have a static route to the "other" network is so that "it" knows how to get to those hosts in case they use him for Internet access. Packet comes from host 10.10.5.15, destined for www.experts-exchange.com, PIX does the nat thing, sends the packet forward through the outside interface to the next hop default route, viola' the packet returns and the pix sends the reply back to host 10.10.5.15.
0
eggm4nAuthor Commented:
Hey Thanks for the lesson lrmoore!  I did correct the typo, but it still did not work.  What I think you are saying is that there is not a way for me to in my default GW route to another GW on the same interface.  If that is correct, and I have add'l interfaces on my PIX (which I do) Could it then work?  For example could I do the following:

route intf2 10.10.5.0 255.255.255.0 10.4.1.80

I really appreciate everyone's help so far.  I've learned a lot in the past two days.
0
lrmooreCommented:
Well... sort of...
Remember that the PIX has different security levels between the interfaces and traffic between interfaces must have nat rules and access-list rules, so it's really difficult to turn it into a basic router between subnets, but it can be done.
If you can change the inside IP of the vpn gateway that is currently 10.1.4.80 to be something else, like 10.50.50.80:

ip address intf2 10.50.50.85 255.255.255.0
route intf2 10.10.5.0 255.255.255.0 10.50.50.80
nat (inside,intf2) 10.1.4.0 10.1.4.0 255.254.0.0
access-list intf2_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
access-group intf2_to_inside in interface intf2

Now, the only glitch is that the router that used to be 10.1.4.80, is now 10.50.50.80, needs a route statement on it for the 10.1.4.0 255.255.0.0 subnet, pointing to its local pix interface - 10.50.50.85

Depending on what type of router/firewall/device 10.1.4.80 is, you may be able to use "it" as the default gateway for the lan, and point "it's" default route to the PIX...
0
eggm4nAuthor Commented:
OK I think I get it.

My "vpn gateway" is actually a port on a tier 3 switch that is part of a new VOIP PBX system.  If I change that port IP address to something like 10.50.50.80 instead of 10.4.1.80 (get it off of my PC V-lan, basically) I should then be able to use NAT and route traffic b/w the two VLANS.  I'll try this now.
0
eggm4nAuthor Commented:
One note, I'm getting an error:  Source address,mask <10.1.4.0,255.254.0.0> doesn't pair when I try to run:

access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0

When I run show access-list I get the following:
XXXXXXX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
0
eggm4nAuthor Commented:
I'll change it to access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.0.0 255.254.0.0

That should fix the pairing.
0
eggm4nAuthor Commented:
Sorry for the spam, I got it working.  It was not pairing so much as I transposed my IP scheme.  I needed 10.4.0.0 not 10.1.0.0 for the access-list.  OK off to try to set the port on the switch, and do some testing.  I'll follow up soon as I get that part working.
0
lrmooreCommented:
Good work!
0
eggm4nAuthor Commented:
So after some time I went back to the drawing board.  This is what I'll attempt when I'm back onsite:

I'll reverse the routes!  Basically I'll create a port on the Layer 3 switch on my data VLan for my route to the PBX VLAN.

That port wil be called 10.4.1.80.  I will then set that as my default GW for my data network, and have all traffic going to the net use my internet GW of 10.4.1.8.  Would that work?
0
jmandalaCommented:
That will work as long as 10.4.1.8 is on the PIX, and you're allowing the right port traffic through.

Don't forget that you'll need a route in the PIX to get out to other networks, and a GW for those routes to go through.  And you'll need a gateway for 10.10.5.0 traffic (which I think you already have, yes?).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.