Solved

routing or nat

Posted on 2006-07-24
17
446 Views
Last Modified: 2010-04-11
hi all,

how do i make my pix understand the traffic coming from my remote location office connected through mpls connection on a cisco router

we have 1 remote location connected to main office, both sides have routers configured and working properly using ip subnet as following.

remote location ip subnet : 10.8.0.0
main office ip subnet : 192.168.1.0

now the remote office works okay with main office but now few of the computers need to be given the access to internet therefore,i have to configured  the remote router to route the http traffic to main office and main office router configure to route towards pix local interface.

Problem comes when i do a traceroute, i see that the trace stops after reaching the main office router,

how to i configure the pix to accept the traffic coming from different sub net from the one it has on it's local interface ???
0
Comment
Question by:lomaree
  • 8
  • 7
  • 2
17 Comments
 
LVL 13

Accepted Solution

by:
prashsax earned 250 total points
ID: 17170198
Add the remote subnet as a inside subnet on pix firewall.

Set this subnets gateway to be the router on the 192.168.1.0 ip address.


10.8.0.0                                            10.8.0.1                   192.168.1.10        10.168.1.20
Remote Router----------------------------------Main office RTR-------------------------------------PIX

Now set, default gateway for subnet 10.8.0.0 to be 192.168.1.10, which is lan IP for router connecting two sites.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17170409
Do you have or added a route in the PIX to point back to 10.8.0.0 network ?

route inside 10.8.0.0 255.255.255.0 192.168.1.10

Also, I assume that your nat statements look like this;

global(outside) 1 interface
nat(inside)1 0.0.0.0 0.0.0.0

If you have nat statement like below;

nat(inside) 1 192.168.1.0 255.255.255.0

Then add another line;

nat(inside) 1 10.8.0.0 255.255.255.0 as well

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:lomaree
ID: 17170543
hi prashsax,

you said:

"Add the remote subnet as a inside subnet on pix firewall.

Set this subnets gateway to be the router on the 192.168.1.0 ip address.


10.8.0.0                                            10.8.0.1                   192.168.1.10        10.168.1.20
Remote Router----------------------------------Main office RTR-------------------------------------PIX

Now set, default gateway for subnet 10.8.0.0 to be 192.168.1.10, which is lan IP for router connecting two sites."
-----------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------
my senario is like:

10.8.0.20                             10.8.0.10                                  192.168.1.250                          192.168.1.251                      2.2.2.2
Remote Machine----------------Remote Router----------------------Main Office Router--------------PIX 515E ----------------------Destination to Reach(goal)

On Remote Machine the gateway is 10.8.0.10 *remote router
On Remote Router i have *ip route 2.2.2.2 255.255.255.255 192.168.1.250
on Main Off Router i have *ip route 2.2.2.2 255.255.255.255 192.168.1.251

Question:

I think i am not following you correctly,

1. how do i "add the remote subnet as the inside subnet on my pix", also "Set this subnets gateway to be the router on the 192.168.1.0 ip address"

a little help would be great as i am really stuck

0
 
LVL 13

Expert Comment

by:prashsax
ID: 17170630
Here i assume that 10.8.0.20 can ping main router on IP 192.168.1.250.
If yes, then do as follows:

First tell PIX that 10.8.0.0 is on inside network and to reach it use 192.168.1.250
So,
>route inside 10.8.0.0 255.255.255.0 192.168.1.250

The above line would ensure that 10.8.0.20 can ping the pix inside interface 192.168.1.250.(If ICMP is enabled on inside interface of pix)

Now to let the machines from 10.8.0.0 network out on internet.
For this if you have defined NAT for 0.0.0.0 then no work is to be done. If not you need to define NAT rule for 10.8.0.0.
But, first do the as above and tell the progress.

0
 
LVL 1

Author Comment

by:lomaree
ID: 17170759
hi prashsax,

it working to what you are saying, now what about NAT ?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17171135
For NAT on PIX, you have to paste the NAT config of your PIX here.

Just change the Public IP from the config.

If you have something like this in your config:
>nat(inside)1 0.0.0.0 0.0.0.0

Then you don't need to do anything, just create a access-list for letting 10.8.0.0 go outside.

If not, and you have defined NAT for 192.168.1.0 only, then you need to define a new NAT rule for this subnet as well.


0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17173049
Don't I have mentioned all these in the first post ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:lomaree
ID: 17173433
hi parshsax,
you know after configuring a route in PIX, i just tried to connect and it was connecting. so i am not going to do anything more as in terms of configuration.

but again how come it was working.



hi rsivanandan,
you did but it just that parshsax replied first and he was also making sence in his partical approch. that's all

no offence.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Expert Comment

by:prashsax
ID: 17175557
It did connect because you may already have a conduit to allow traffic from high security interface to lower security interface.

I think must should have a rule for source 0.0.0.0 on inside to go outside any destination and thats why when you configured 10.8.0.0 as inside network PIX allowed the traffic to go out and applied the default NAT rule on that traffic.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 17180322
hi lomaree,

i think rsivanandan also mentioned those points in his post.

So, we can share the points once this is resolved. :-)




0
 
LVL 1

Author Comment

by:lomaree
ID: 17183164
hi all,

sure i'll split the points, but i have a problem. it's connecting and no problem in that. but before anything i'll tell you something.

this connection connects a vpn client called checkpoint vpn-1 securemote,  once it has connected there is another appication called microsoft SNA client which then connects on private ip range say 10.10.40.20 and when it does, that's where i get the problem i mean it does not connect

                                                                                     10.10.40.20 (vpn)
-------------------------------------------------------------------------------------------------------------------------------------------------
-                                                                                                                                                                                   -
10.8.0.20                             10.8.0.10                                  192.168.1.250                          192.168.1.251                      2.2.2.2
Remote Machine----------------Remote Router----------------------Main Office Router--------------PIX 515E ----------------------Destination to Reach(goal)


any ideas..
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17184058
Ok, So 10.10.40.20 is the private location accessible over the VPN.

Now the VPN connects sucessfully, but there is no data flow.

Is that what you mean.

Does the VPN connects perfectly, can you ping some server on remote network.

0
 
LVL 1

Author Comment

by:lomaree
ID: 17186991
hi prashsax,

i'll tell you what, this VPN is from checkpoint and god knows how it works, one first have to create a site stating IP Address and RSA Hard Token Key supplied with Username and Password. Once the site is created then one can initiate to connect the VPN (one more thing during this creation of site, the VPN client recevies a certificate from the remote).

Now i can create the site meaning i am connecting to 2.2.2.2 no problem and i get the certificate too, but after then when i try to connect that's where the problem begin with a new chapter.

hope this clears the point.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17187073
Ok.

Now, i don't think you are able to connect to VPN server. Setting the site up is not connecting the VPN.

You can try and permit the IPSec traffic on your PIX.

use this command:
>sysopt connection permit-ipsec

This will allow the IPSec traffic to pass thru the firewall.

0
 
LVL 1

Author Comment

by:lomaree
ID: 17187167
hi prashsax,

it's there

>sysopt connection permit-ipsec


:(
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17188275
Ok, now when you connect to the VPN server does it gives any error or does it connects and shows a icon in the task bar.

Also, check if you have mentioned any static route to 10.10.40.20 on that machine.
use this command:
>route print

How do does this machine used to connect to 10.10.40.20 previously, when it was not accessing internet using PIX.
0
 
LVL 1

Author Comment

by:lomaree
ID: 17207096
nope there is no static route to 10.10.40.20 on this machine.

previously this machine was connecting using PIX except that this machine was in the main offlice location that's all the difference is.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCCM 2012 - PXE WinPE - Boot Resolution Low 10 37
Turn off SIP ALG - Cisco ASA 5505 1 32
DNS @ Naked Domain Record 5 69
ssh setup on Cisco swith 11 45
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now