?
Solved

Static Route help with my pix

Posted on 2006-03-31
20
Medium Priority
?
1,779 Views
Last Modified: 2012-06-27
I'm trying to create a new static route on my pix to a VLAN.  My current config is:

outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static

I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80

But I also noticed that the line inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static should probably have mask changed to 255.255.0.0

So my questions are:

1.  How do I change the subnet mask on my existing route?  I'm missing something, and don't have any resources avail to me.
2.  Is adding the second route as simple as : route inside 10.10.5.0 255.255.0.0 10.4.1.80 ?

Thx!
0
Comment
Question by:eggm4n
  • 11
  • 5
  • 3
  • +1
20 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16347022
The routes you have up there are the default one, see the 'CONNECT' . So if you want to add another route to inside network, then it is as simple as adding;

route inside 10.10.5.0 255.255.0.0 10.4.1.8

Cheers,
Rajesh
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16347061
Any ideas ewhat I'm doing wrong here?

PIX(config)# route inside 10.10.5.0 255.255.0.0 10.4.1.8
%Inconsistent address and maskWARNING: unable to add route to OSPF RIB
tPIX(config)#
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16347083
Here is what I have now:  But I'm worried about the error listed above.

 outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
 inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
 inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
 outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:jmandala
ID: 16347291
The inconsistency comes from having an address that defines the third octet, and a subnet that leaves it open.

It probably should read:

route inside 10.10.5.0 255.255.255.0 10.4.1.8

OR

route inside 10.10.0.0 255.255.0.0 10.4.1.8

Depending on whether you're trying to route to a class C or class B subnet.
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16347374
Yes I agree jmandala.  Can you answer my other question?  How do I change that route?  I can't determine how to edit it.  I'm pretty new to the PIX.
0
 
LVL 1

Expert Comment

by:jmandala
ID: 16347385
You would simply prefix any line you want to remove with the word "no."

no route inside 10.10.0.0 255.255.0.0 10.4.1.8


Then you'll just recreate it.

I must say, though, that if the routes above that you posted are correct, then it looks like the PIX already changed it to a class B.  If you need it to be Class C, you'll need to remove the existing route using the "no" prefix then recreate it like so:

route inside 10.10.5.0 255.255.255.0 10.4.1.8
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16347544
OK good to know.  I think I have my route set up properly however, I still can't ping from a machine on my network.  

Here is my configuration right now:

local lan 10.4.1.0 255.255.252.0 gw 10.4.1.8
PIX:  10.4.1.8
VLAN: 10.10.5.0 255.255.255.0
Static route to vlan uses gw 10.4.1.80

I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.

I can ping it though is I set a route on the desktop itself in Windows.  So my PIX is blocking the traffic.  I'm looking here, and I think this is the cause, but not sure how to fix this.  Especially since this PIX also is my Internet FW.

outbound  10 deny 0.0.0.0 0.0.0.0 1-65535 udp
outbound  10 deny 0.0.0.0 0.0.0.0 1-65535 tcp
outbound  10 permit 0.0.0.0 0.0.0.0 1-65535 tcp
outbound  10 permit 0.0.0.0 0.0.0.0 1-65535 udp
apply (inside) 10 outgoing_src

So I need to set something specifc to 10.10.5.0/255.255.255.0 right?  Any advice on what I need to do?

Thx in advance.
0
 
LVL 1

Expert Comment

by:jmandala
ID: 16347564
Let me ask you this - if you put a static route on your PC, can you even hit the internet?

Also - can you ping something on 10.4.1.0 from the PIX?

Lastly - do you have any adapters on the PIX configured to the 10.10.5.0 VLAN, or is 10.4.1.80 another router (or firewall)?
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16347580
Yes, I can still hit the internet with another route on my windows machine.  It's basically telling me to use GW of 10.4.1.80 instead of 10.4.1.8 for the 10.10.5.x ip space.

Yes I can ping everything form the PIX.

I do have adaptors but am not using them.  In this case 10.4.1.80 is a port on the new switch that has the VLAN set in it.
0
 
LVL 1

Expert Comment

by:jmandala
ID: 16347626
OK.  It looks like all ports are blocked for all IPs.  If you want to open ports for IPs, you will need to make them explicit.

outbound 10 permit 10.4.1.0 255.255.255.0 1-65535 tcp
outbound 10 permit 10.10.5.0 255.255.255.0 1-65535 tcp

This will allow all tcp traffic on all ports to all the defined addresses on those class C subnets.  If you need udp as well, then add similar lines ending in udp.  Not the most secure situation, necessarily, but the easiest.  You'd need lines for each allowed port otherwise.

Similarly, if you have a web server of address 10.4.1.50 and you wanted outbound traffic enabled, you'd add:

outbound 10 permit 10.4.1.50 255.255.255.255 80 tcp - if you didn't want to allow all outbound ports for all machines on those subnets.

You could enter the ICMP port to allow pinging, SMTP for email, etc.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16350509
Here's some information that may help your dilema.
 >- inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
How can you change the subnet mask on this connected route statement?
You cannot! This statement comes directly from the subnet mask assigned to the inside interface.
   ip address inside 10.4.1.8 255.254.0.0

>I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
>inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
Shouldn't this statement read
    inside 10.10.0.0 255.255.0.0 10.4.1.80 1 OTHER static
                                                        ^^

>I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
This proves that the routing from the PIX' perspective is correct and the above is a typo?

>I can ping it though is I set a route on the desktop itself in Windows.
Correct. Assuming that the PIX is your default gateway, this is the *only* way you can do what you wish. You must add a static route on each and every PC that needs to access the 10.10.5.x subnet, pointing them to the alternate route 10.4.1.80
This is expected behavior and a "feature" of the PIX firewall. It simply will not redirect a packet back out the same interface it came in on. Let's follow a packet:
 Client sends packet destined for host 10.10.5.15
 Client knows it is not on local LAN
 Client sends packet to default gateway (PIX)
 Packet hits PIX inside interface
 PIX knows that 10.10.5.15 is available through inside interface
 PIX does nothing.
 Packet dies.

If the gateway is a router, a router will send a redirect to the PC, saying essentially:
 I can't route that packet to the destination, but if you re-send it to 10.1.4.80, your packet will arrive safe and sound.
 Client then adds a temporary route statement based on information received from the icmp redirect packet:
   route add 10.10.5.15 mask 255.255.255.255 10.1.4.80

If the PC is rebooted, that route is gone and the process would start over, but it is relatively painless and works.

The crux of the matter is that the PIX simply does not send that icmp redirect packet back to the client PC. Client PC knows it sent the packet to its gateway and never gets a reply.

The only way a PIX will "route" is through its physical interfaces. The reason it needs to have a static route to the "other" network is so that "it" knows how to get to those hosts in case they use him for Internet access. Packet comes from host 10.10.5.15, destined for www.experts-exchange.com, PIX does the nat thing, sends the packet forward through the outside interface to the next hop default route, viola' the packet returns and the pix sends the reply back to host 10.10.5.15.
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16350968
Hey Thanks for the lesson lrmoore!  I did correct the typo, but it still did not work.  What I think you are saying is that there is not a way for me to in my default GW route to another GW on the same interface.  If that is correct, and I have add'l interfaces on my PIX (which I do) Could it then work?  For example could I do the following:

route intf2 10.10.5.0 255.255.255.0 10.4.1.80

I really appreciate everyone's help so far.  I've learned a lot in the past two days.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16351063
Well... sort of...
Remember that the PIX has different security levels between the interfaces and traffic between interfaces must have nat rules and access-list rules, so it's really difficult to turn it into a basic router between subnets, but it can be done.
If you can change the inside IP of the vpn gateway that is currently 10.1.4.80 to be something else, like 10.50.50.80:

ip address intf2 10.50.50.85 255.255.255.0
route intf2 10.10.5.0 255.255.255.0 10.50.50.80
nat (inside,intf2) 10.1.4.0 10.1.4.0 255.254.0.0
access-list intf2_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
access-group intf2_to_inside in interface intf2

Now, the only glitch is that the router that used to be 10.1.4.80, is now 10.50.50.80, needs a route statement on it for the 10.1.4.0 255.255.0.0 subnet, pointing to its local pix interface - 10.50.50.85

Depending on what type of router/firewall/device 10.1.4.80 is, you may be able to use "it" as the default gateway for the lan, and point "it's" default route to the PIX...
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16351208
OK I think I get it.

My "vpn gateway" is actually a port on a tier 3 switch that is part of a new VOIP PBX system.  If I change that port IP address to something like 10.50.50.80 instead of 10.4.1.80 (get it off of my PC V-lan, basically) I should then be able to use NAT and route traffic b/w the two VLANS.  I'll try this now.
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16351344
One note, I'm getting an error:  Source address,mask <10.1.4.0,255.254.0.0> doesn't pair when I try to run:

access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0

When I run show access-list I get the following:
XXXXXXX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16351363
I'll change it to access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.0.0 255.254.0.0

That should fix the pairing.
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16351427
Sorry for the spam, I got it working.  It was not pairing so much as I transposed my IP scheme.  I needed 10.4.0.0 not 10.1.0.0 for the access-list.  OK off to try to set the port on the switch, and do some testing.  I'll follow up soon as I get that part working.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16351631
Good work!
0
 
LVL 4

Author Comment

by:eggm4n
ID: 16375371
So after some time I went back to the drawing board.  This is what I'll attempt when I'm back onsite:

I'll reverse the routes!  Basically I'll create a port on the Layer 3 switch on my data VLan for my route to the PBX VLAN.

That port wil be called 10.4.1.80.  I will then set that as my default GW for my data network, and have all traffic going to the net use my internet GW of 10.4.1.8.  Would that work?
0
 
LVL 1

Accepted Solution

by:
jmandala earned 2000 total points
ID: 16391836
That will work as long as 10.4.1.8 is on the PIX, and you're allowing the right port traffic through.

Don't forget that you'll need a route in the PIX to get out to other networks, and a GW for those routes to go through.  And you'll need a gateway for 10.10.5.0 traffic (which I think you already have, yes?).
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question