Solved

routing or nat

Posted on 2006-07-24
17
442 Views
Last Modified: 2010-04-11
hi all,

how do i make my pix understand the traffic coming from my remote location office connected through mpls connection on a cisco router

we have 1 remote location connected to main office, both sides have routers configured and working properly using ip subnet as following.

remote location ip subnet : 10.8.0.0
main office ip subnet : 192.168.1.0

now the remote office works okay with main office but now few of the computers need to be given the access to internet therefore,i have to configured  the remote router to route the http traffic to main office and main office router configure to route towards pix local interface.

Problem comes when i do a traceroute, i see that the trace stops after reaching the main office router,

how to i configure the pix to accept the traffic coming from different sub net from the one it has on it's local interface ???
0
Comment
Question by:lomaree
  • 8
  • 7
  • 2
17 Comments
 
LVL 13

Accepted Solution

by:
prashsax earned 250 total points
Comment Utility
Add the remote subnet as a inside subnet on pix firewall.

Set this subnets gateway to be the router on the 192.168.1.0 ip address.


10.8.0.0                                            10.8.0.1                   192.168.1.10        10.168.1.20
Remote Router----------------------------------Main office RTR-------------------------------------PIX

Now set, default gateway for subnet 10.8.0.0 to be 192.168.1.10, which is lan IP for router connecting two sites.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
Comment Utility
Do you have or added a route in the PIX to point back to 10.8.0.0 network ?

route inside 10.8.0.0 255.255.255.0 192.168.1.10

Also, I assume that your nat statements look like this;

global(outside) 1 interface
nat(inside)1 0.0.0.0 0.0.0.0

If you have nat statement like below;

nat(inside) 1 192.168.1.0 255.255.255.0

Then add another line;

nat(inside) 1 10.8.0.0 255.255.255.0 as well

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi prashsax,

you said:

"Add the remote subnet as a inside subnet on pix firewall.

Set this subnets gateway to be the router on the 192.168.1.0 ip address.


10.8.0.0                                            10.8.0.1                   192.168.1.10        10.168.1.20
Remote Router----------------------------------Main office RTR-------------------------------------PIX

Now set, default gateway for subnet 10.8.0.0 to be 192.168.1.10, which is lan IP for router connecting two sites."
-----------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------
my senario is like:

10.8.0.20                             10.8.0.10                                  192.168.1.250                          192.168.1.251                      2.2.2.2
Remote Machine----------------Remote Router----------------------Main Office Router--------------PIX 515E ----------------------Destination to Reach(goal)

On Remote Machine the gateway is 10.8.0.10 *remote router
On Remote Router i have *ip route 2.2.2.2 255.255.255.255 192.168.1.250
on Main Off Router i have *ip route 2.2.2.2 255.255.255.255 192.168.1.251

Question:

I think i am not following you correctly,

1. how do i "add the remote subnet as the inside subnet on my pix", also "Set this subnets gateway to be the router on the 192.168.1.0 ip address"

a little help would be great as i am really stuck

0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Here i assume that 10.8.0.20 can ping main router on IP 192.168.1.250.
If yes, then do as follows:

First tell PIX that 10.8.0.0 is on inside network and to reach it use 192.168.1.250
So,
>route inside 10.8.0.0 255.255.255.0 192.168.1.250

The above line would ensure that 10.8.0.20 can ping the pix inside interface 192.168.1.250.(If ICMP is enabled on inside interface of pix)

Now to let the machines from 10.8.0.0 network out on internet.
For this if you have defined NAT for 0.0.0.0 then no work is to be done. If not you need to define NAT rule for 10.8.0.0.
But, first do the as above and tell the progress.

0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi prashsax,

it working to what you are saying, now what about NAT ?
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
For NAT on PIX, you have to paste the NAT config of your PIX here.

Just change the Public IP from the config.

If you have something like this in your config:
>nat(inside)1 0.0.0.0 0.0.0.0

Then you don't need to do anything, just create a access-list for letting 10.8.0.0 go outside.

If not, and you have defined NAT for 192.168.1.0 only, then you need to define a new NAT rule for this subnet as well.


0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Don't I have mentioned all these in the first post ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi parshsax,
you know after configuring a route in PIX, i just tried to connect and it was connecting. so i am not going to do anything more as in terms of configuration.

but again how come it was working.



hi rsivanandan,
you did but it just that parshsax replied first and he was also making sence in his partical approch. that's all

no offence.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 13

Expert Comment

by:prashsax
Comment Utility
It did connect because you may already have a conduit to allow traffic from high security interface to lower security interface.

I think must should have a rule for source 0.0.0.0 on inside to go outside any destination and thats why when you configured 10.8.0.0 as inside network PIX allowed the traffic to go out and applied the default NAT rule on that traffic.

0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
hi lomaree,

i think rsivanandan also mentioned those points in his post.

So, we can share the points once this is resolved. :-)




0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi all,

sure i'll split the points, but i have a problem. it's connecting and no problem in that. but before anything i'll tell you something.

this connection connects a vpn client called checkpoint vpn-1 securemote,  once it has connected there is another appication called microsoft SNA client which then connects on private ip range say 10.10.40.20 and when it does, that's where i get the problem i mean it does not connect

                                                                                     10.10.40.20 (vpn)
-------------------------------------------------------------------------------------------------------------------------------------------------
-                                                                                                                                                                                   -
10.8.0.20                             10.8.0.10                                  192.168.1.250                          192.168.1.251                      2.2.2.2
Remote Machine----------------Remote Router----------------------Main Office Router--------------PIX 515E ----------------------Destination to Reach(goal)


any ideas..
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Ok, So 10.10.40.20 is the private location accessible over the VPN.

Now the VPN connects sucessfully, but there is no data flow.

Is that what you mean.

Does the VPN connects perfectly, can you ping some server on remote network.

0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi prashsax,

i'll tell you what, this VPN is from checkpoint and god knows how it works, one first have to create a site stating IP Address and RSA Hard Token Key supplied with Username and Password. Once the site is created then one can initiate to connect the VPN (one more thing during this creation of site, the VPN client recevies a certificate from the remote).

Now i can create the site meaning i am connecting to 2.2.2.2 no problem and i get the certificate too, but after then when i try to connect that's where the problem begin with a new chapter.

hope this clears the point.
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Ok.

Now, i don't think you are able to connect to VPN server. Setting the site up is not connecting the VPN.

You can try and permit the IPSec traffic on your PIX.

use this command:
>sysopt connection permit-ipsec

This will allow the IPSec traffic to pass thru the firewall.

0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
hi prashsax,

it's there

>sysopt connection permit-ipsec


:(
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Ok, now when you connect to the VPN server does it gives any error or does it connects and shows a icon in the task bar.

Also, check if you have mentioned any static route to 10.10.40.20 on that machine.
use this command:
>route print

How do does this machine used to connect to 10.10.40.20 previously, when it was not accessing internet using PIX.
0
 
LVL 1

Author Comment

by:lomaree
Comment Utility
nope there is no static route to 10.10.40.20 on this machine.

previously this machine was connecting using PIX except that this machine was in the main offlice location that's all the difference is.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now