eggm4n
asked on
Static Route help with my pix
I'm trying to create a new static route on my pix to a VLAN. My current config is:
outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
But I also noticed that the line inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static should probably have mask changed to 255.255.0.0
So my questions are:
1. How do I change the subnet mask on my existing route? I'm missing something, and don't have any resources avail to me.
2. Is adding the second route as simple as : route inside 10.10.5.0 255.255.0.0 10.4.1.80 ?
Thx!
outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
But I also noticed that the line inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static should probably have mask changed to 255.255.0.0
So my questions are:
1. How do I change the subnet mask on my existing route? I'm missing something, and don't have any resources avail to me.
2. Is adding the second route as simple as : route inside 10.10.5.0 255.255.0.0 10.4.1.80 ?
Thx!
ASKER
Any ideas ewhat I'm doing wrong here?
PIX(config)# route inside 10.10.5.0 255.255.0.0 10.4.1.8
%Inconsistent address and maskWARNING: unable to add route to OSPF RIB
tPIX(config)#
PIX(config)# route inside 10.10.5.0 255.255.0.0 10.4.1.8
%Inconsistent address and maskWARNING: unable to add route to OSPF RIB
tPIX(config)#
ASKER
Here is what I have now: But I'm worried about the error listed above.
outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
outside 0.0.0.0 0.0.0.0 66.60.131.5 1 OTHER static
inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
outside 66.60.137.176 255.255.255.240 66.60.137.178 1 CONNECT static
The inconsistency comes from having an address that defines the third octet, and a subnet that leaves it open.
It probably should read:
route inside 10.10.5.0 255.255.255.0 10.4.1.8
OR
route inside 10.10.0.0 255.255.0.0 10.4.1.8
Depending on whether you're trying to route to a class C or class B subnet.
It probably should read:
route inside 10.10.5.0 255.255.255.0 10.4.1.8
OR
route inside 10.10.0.0 255.255.0.0 10.4.1.8
Depending on whether you're trying to route to a class C or class B subnet.
ASKER
Yes I agree jmandala. Can you answer my other question? How do I change that route? I can't determine how to edit it. I'm pretty new to the PIX.
You would simply prefix any line you want to remove with the word "no."
no route inside 10.10.0.0 255.255.0.0 10.4.1.8
Then you'll just recreate it.
I must say, though, that if the routes above that you posted are correct, then it looks like the PIX already changed it to a class B. If you need it to be Class C, you'll need to remove the existing route using the "no" prefix then recreate it like so:
route inside 10.10.5.0 255.255.255.0 10.4.1.8
no route inside 10.10.0.0 255.255.0.0 10.4.1.8
Then you'll just recreate it.
I must say, though, that if the routes above that you posted are correct, then it looks like the PIX already changed it to a class B. If you need it to be Class C, you'll need to remove the existing route using the "no" prefix then recreate it like so:
route inside 10.10.5.0 255.255.255.0 10.4.1.8
ASKER
OK good to know. I think I have my route set up properly however, I still can't ping from a machine on my network.
Here is my configuration right now:
local lan 10.4.1.0 255.255.252.0 gw 10.4.1.8
PIX: 10.4.1.8
VLAN: 10.10.5.0 255.255.255.0
Static route to vlan uses gw 10.4.1.80
I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
I can ping it though is I set a route on the desktop itself in Windows. So my PIX is blocking the traffic. I'm looking here, and I think this is the cause, but not sure how to fix this. Especially since this PIX also is my Internet FW.
outbound 10 deny 0.0.0.0 0.0.0.0 1-65535 udp
outbound 10 deny 0.0.0.0 0.0.0.0 1-65535 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 1-65535 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 1-65535 udp
apply (inside) 10 outgoing_src
So I need to set something specifc to 10.10.5.0/255.255.255.0 right? Any advice on what I need to do?
Thx in advance.
Here is my configuration right now:
local lan 10.4.1.0 255.255.252.0 gw 10.4.1.8
PIX: 10.4.1.8
VLAN: 10.10.5.0 255.255.255.0
Static route to vlan uses gw 10.4.1.80
I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
I can ping it though is I set a route on the desktop itself in Windows. So my PIX is blocking the traffic. I'm looking here, and I think this is the cause, but not sure how to fix this. Especially since this PIX also is my Internet FW.
outbound 10 deny 0.0.0.0 0.0.0.0 1-65535 udp
outbound 10 deny 0.0.0.0 0.0.0.0 1-65535 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 1-65535 tcp
outbound 10 permit 0.0.0.0 0.0.0.0 1-65535 udp
apply (inside) 10 outgoing_src
So I need to set something specifc to 10.10.5.0/255.255.255.0 right? Any advice on what I need to do?
Thx in advance.
Let me ask you this - if you put a static route on your PC, can you even hit the internet?
Also - can you ping something on 10.4.1.0 from the PIX?
Lastly - do you have any adapters on the PIX configured to the 10.10.5.0 VLAN, or is 10.4.1.80 another router (or firewall)?
Also - can you ping something on 10.4.1.0 from the PIX?
Lastly - do you have any adapters on the PIX configured to the 10.10.5.0 VLAN, or is 10.4.1.80 another router (or firewall)?
ASKER
Yes, I can still hit the internet with another route on my windows machine. It's basically telling me to use GW of 10.4.1.80 instead of 10.4.1.8 for the 10.10.5.x ip space.
Yes I can ping everything form the PIX.
I do have adaptors but am not using them. In this case 10.4.1.80 is a port on the new switch that has the VLAN set in it.
Yes I can ping everything form the PIX.
I do have adaptors but am not using them. In this case 10.4.1.80 is a port on the new switch that has the VLAN set in it.
OK. It looks like all ports are blocked for all IPs. If you want to open ports for IPs, you will need to make them explicit.
outbound 10 permit 10.4.1.0 255.255.255.0 1-65535 tcp
outbound 10 permit 10.10.5.0 255.255.255.0 1-65535 tcp
This will allow all tcp traffic on all ports to all the defined addresses on those class C subnets. If you need udp as well, then add similar lines ending in udp. Not the most secure situation, necessarily, but the easiest. You'd need lines for each allowed port otherwise.
Similarly, if you have a web server of address 10.4.1.50 and you wanted outbound traffic enabled, you'd add:
outbound 10 permit 10.4.1.50 255.255.255.255 80 tcp - if you didn't want to allow all outbound ports for all machines on those subnets.
You could enter the ICMP port to allow pinging, SMTP for email, etc.
outbound 10 permit 10.4.1.0 255.255.255.0 1-65535 tcp
outbound 10 permit 10.10.5.0 255.255.255.0 1-65535 tcp
This will allow all tcp traffic on all ports to all the defined addresses on those class C subnets. If you need udp as well, then add similar lines ending in udp. Not the most secure situation, necessarily, but the easiest. You'd need lines for each allowed port otherwise.
Similarly, if you have a web server of address 10.4.1.50 and you wanted outbound traffic enabled, you'd add:
outbound 10 permit 10.4.1.50 255.255.255.255 80 tcp - if you didn't want to allow all outbound ports for all machines on those subnets.
You could enter the ICMP port to allow pinging, SMTP for email, etc.
Here's some information that may help your dilema.
>- inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
How can you change the subnet mask on this connected route statement?
You cannot! This statement comes directly from the subnet mask assigned to the inside interface.
ip address inside 10.4.1.8 255.254.0.0
>I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
>inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
Shouldn't this statement read
inside 10.10.0.0 255.255.0.0 10.4.1.80 1 OTHER static
^^
>I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
This proves that the routing from the PIX' perspective is correct and the above is a typo?
>I can ping it though is I set a route on the desktop itself in Windows.
Correct. Assuming that the PIX is your default gateway, this is the *only* way you can do what you wish. You must add a static route on each and every PC that needs to access the 10.10.5.x subnet, pointing them to the alternate route 10.4.1.80
This is expected behavior and a "feature" of the PIX firewall. It simply will not redirect a packet back out the same interface it came in on. Let's follow a packet:
Client sends packet destined for host 10.10.5.15
Client knows it is not on local LAN
Client sends packet to default gateway (PIX)
Packet hits PIX inside interface
PIX knows that 10.10.5.15 is available through inside interface
PIX does nothing.
Packet dies.
If the gateway is a router, a router will send a redirect to the PC, saying essentially:
I can't route that packet to the destination, but if you re-send it to 10.1.4.80, your packet will arrive safe and sound.
Client then adds a temporary route statement based on information received from the icmp redirect packet:
route add 10.10.5.15 mask 255.255.255.255 10.1.4.80
If the PC is rebooted, that route is gone and the process would start over, but it is relatively painless and works.
The crux of the matter is that the PIX simply does not send that icmp redirect packet back to the client PC. Client PC knows it sent the packet to its gateway and never gets a reply.
The only way a PIX will "route" is through its physical interfaces. The reason it needs to have a static route to the "other" network is so that "it" knows how to get to those hosts in case they use him for Internet access. Packet comes from host 10.10.5.15, destined for https://www.experts-exchange.com, PIX does the nat thing, sends the packet forward through the outside interface to the next hop default route, viola' the packet returns and the pix sends the reply back to host 10.10.5.15.
>- inside 10.4.0.0 255.254.0.0 10.4.1.8 1 CONNECT static
How can you change the subnet mask on this connected route statement?
You cannot! This statement comes directly from the subnet mask assigned to the inside interface.
ip address inside 10.4.1.8 255.254.0.0
>I need to add a route for 10.10.5.0 255.255.0.0 10.4.1.80
>inside 10.10.0.0 255.255.0.0 10.4.1.8 1 OTHER static
Shouldn't this statement read
inside 10.10.0.0 255.255.0.0 10.4.1.80 1 OTHER static
^^
>I can ping 10.10.5.0 from my PIX, but not from my desktop machines on the lan.
This proves that the routing from the PIX' perspective is correct and the above is a typo?
>I can ping it though is I set a route on the desktop itself in Windows.
Correct. Assuming that the PIX is your default gateway, this is the *only* way you can do what you wish. You must add a static route on each and every PC that needs to access the 10.10.5.x subnet, pointing them to the alternate route 10.4.1.80
This is expected behavior and a "feature" of the PIX firewall. It simply will not redirect a packet back out the same interface it came in on. Let's follow a packet:
Client sends packet destined for host 10.10.5.15
Client knows it is not on local LAN
Client sends packet to default gateway (PIX)
Packet hits PIX inside interface
PIX knows that 10.10.5.15 is available through inside interface
PIX does nothing.
Packet dies.
If the gateway is a router, a router will send a redirect to the PC, saying essentially:
I can't route that packet to the destination, but if you re-send it to 10.1.4.80, your packet will arrive safe and sound.
Client then adds a temporary route statement based on information received from the icmp redirect packet:
route add 10.10.5.15 mask 255.255.255.255 10.1.4.80
If the PC is rebooted, that route is gone and the process would start over, but it is relatively painless and works.
The crux of the matter is that the PIX simply does not send that icmp redirect packet back to the client PC. Client PC knows it sent the packet to its gateway and never gets a reply.
The only way a PIX will "route" is through its physical interfaces. The reason it needs to have a static route to the "other" network is so that "it" knows how to get to those hosts in case they use him for Internet access. Packet comes from host 10.10.5.15, destined for https://www.experts-exchange.com, PIX does the nat thing, sends the packet forward through the outside interface to the next hop default route, viola' the packet returns and the pix sends the reply back to host 10.10.5.15.
ASKER
Hey Thanks for the lesson lrmoore! I did correct the typo, but it still did not work. What I think you are saying is that there is not a way for me to in my default GW route to another GW on the same interface. If that is correct, and I have add'l interfaces on my PIX (which I do) Could it then work? For example could I do the following:
route intf2 10.10.5.0 255.255.255.0 10.4.1.80
I really appreciate everyone's help so far. I've learned a lot in the past two days.
route intf2 10.10.5.0 255.255.255.0 10.4.1.80
I really appreciate everyone's help so far. I've learned a lot in the past two days.
Well... sort of...
Remember that the PIX has different security levels between the interfaces and traffic between interfaces must have nat rules and access-list rules, so it's really difficult to turn it into a basic router between subnets, but it can be done.
If you can change the inside IP of the vpn gateway that is currently 10.1.4.80 to be something else, like 10.50.50.80:
ip address intf2 10.50.50.85 255.255.255.0
route intf2 10.10.5.0 255.255.255.0 10.50.50.80
nat (inside,intf2) 10.1.4.0 10.1.4.0 255.254.0.0
access-list intf2_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
access-group intf2_to_inside in interface intf2
Now, the only glitch is that the router that used to be 10.1.4.80, is now 10.50.50.80, needs a route statement on it for the 10.1.4.0 255.255.0.0 subnet, pointing to its local pix interface - 10.50.50.85
Depending on what type of router/firewall/device 10.1.4.80 is, you may be able to use "it" as the default gateway for the lan, and point "it's" default route to the PIX...
Remember that the PIX has different security levels between the interfaces and traffic between interfaces must have nat rules and access-list rules, so it's really difficult to turn it into a basic router between subnets, but it can be done.
If you can change the inside IP of the vpn gateway that is currently 10.1.4.80 to be something else, like 10.50.50.80:
ip address intf2 10.50.50.85 255.255.255.0
route intf2 10.10.5.0 255.255.255.0 10.50.50.80
nat (inside,intf2) 10.1.4.0 10.1.4.0 255.254.0.0
access-list intf2_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
access-group intf2_to_inside in interface intf2
Now, the only glitch is that the router that used to be 10.1.4.80, is now 10.50.50.80, needs a route statement on it for the 10.1.4.0 255.255.0.0 subnet, pointing to its local pix interface - 10.50.50.85
Depending on what type of router/firewall/device 10.1.4.80 is, you may be able to use "it" as the default gateway for the lan, and point "it's" default route to the PIX...
ASKER
OK I think I get it.
My "vpn gateway" is actually a port on a tier 3 switch that is part of a new VOIP PBX system. If I change that port IP address to something like 10.50.50.80 instead of 10.4.1.80 (get it off of my PC V-lan, basically) I should then be able to use NAT and route traffic b/w the two VLANS. I'll try this now.
My "vpn gateway" is actually a port on a tier 3 switch that is part of a new VOIP PBX system. If I change that port IP address to something like 10.50.50.80 instead of 10.4.1.80 (get it off of my PC V-lan, basically) I should then be able to use NAT and route traffic b/w the two VLANS. I'll try this now.
ASKER
One note, I'm getting an error: Source address,mask <10.1.4.0,255.254.0.0> doesn't pair when I try to run:
access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
When I run show access-list I get the following:
XXXXXXX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.4.0 255.254.0.0
When I run show access-list I get the following:
XXXXXXX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
ASKER
I'll change it to access-list zultys_to_inside permit ip 10.10.5.0 255.255.255.0 10.1.0.0 255.254.0.0
That should fix the pairing.
That should fix the pairing.
ASKER
Sorry for the spam, I got it working. It was not pairing so much as I transposed my IP scheme. I needed 10.4.0.0 not 10.1.0.0 for the access-list. OK off to try to set the port on the switch, and do some testing. I'll follow up soon as I get that part working.
Good work!
ASKER
So after some time I went back to the drawing board. This is what I'll attempt when I'm back onsite:
I'll reverse the routes! Basically I'll create a port on the Layer 3 switch on my data VLan for my route to the PBX VLAN.
That port wil be called 10.4.1.80. I will then set that as my default GW for my data network, and have all traffic going to the net use my internet GW of 10.4.1.8. Would that work?
I'll reverse the routes! Basically I'll create a port on the Layer 3 switch on my data VLan for my route to the PBX VLAN.
That port wil be called 10.4.1.80. I will then set that as my default GW for my data network, and have all traffic going to the net use my internet GW of 10.4.1.8. Would that work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
route inside 10.10.5.0 255.255.0.0 10.4.1.8
Cheers,
Rajesh