[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

logical interface on PIX 506e

Back to an old q.
I have a PIX506e I want to add a logical if to the inside, that will connect thru leased line to a joint venture.
I setup the logical interface and named it dmz1, and gave it an ip 10.157.12.5.
The inside IP is 10.157.14.5.
I want to allow the following protocols between the 2 networks: SMPT, http, and telnet.
What is needed to do that aside from the interface creation?
0
Ehab Salem
Asked:
Ehab Salem
1 Solution
 
Freya28Commented:
what type of leased line?  will you be running vpn over it? is it a point to point line,etc?
0
 
lrmooreCommented:
When you create the logical interface, it is dependent on VLAN tagging from the switch. Is the switch configured properly and is the port that the router is plugged into setup as a trunk port?

To allow traffic between interfaces, logical or physical, you need static nat and access-lists.

static (inside,dmz1) 10.157.14.0 10.157.14.0 netmask 255.255.255.0
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.xx eq smtp
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.xx eq http
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.xx eq telnet
access-list dmz_in deny ip 10.157.12.0 255.255.255.0 10.157.14.0 255.255.255.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz1
0
 
Cyclops3590Commented:
the router port wouldn't necessarily need to be trunk would it; unless I'm misunderstanding what is being said.  It could just be configured to access mode for the correct vlan tag.  However I believe then the router would have to be configured for that vlan as well otherwise the traffic coming from the leased line would essentially be lost because it wouldn't match up with the vlan the pix is using for that network.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Ehab SalemAuthor Commented:
Irmoore:
I did like you wrote. Now I am getting in the PIX log:
access-list 102 denied tcp inside/10.157.14.54(8361) -> dmz1/10.157.12.1(23)
Access-list 102 is on the inside, and 10.157.14.54 is the IP allowed to telnet the network 10.157.12.0
0
 
Ehab SalemAuthor Commented:
I added to access-list 102 a rule to permit the required protocols from 10.157.14.0 to 10.157.12.0.
Although I cannot still connect by telnet to 10.157.12.1, the PIX log shows:
Built outbound TCP connection 300670 for dmz1:10.157.12.1/23 (10.157.12.1/23) to inside:10.157.14.54/3087 (10.157.14.54/3087)
0
 
Ehab SalemAuthor Commented:
And after a few seconds:
Teardown TCP connection 305364 for dmz1:10.157.12.1/23 to inside:10.157.14.54/3109 duration 0:02:01 bytes 0 SYN Timeout

I tried connecting my computer with IP 10.157.12.2 and it connected to the router (10.157.12.1), but could not make connection to PIX.
0
 
lrmooreCommented:
Post your complete config
0
 
Ehab SalemAuthor Commented:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz1 security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.157.14.55 mail_server
name 10.157.14.62 intranet_server
name 10.157.13.0 CRO
name 10.157.14.0 ALX
name 10.157.1.0 CRLCRO
name 10.157.14.50 internet_server
access-list 101 permit ip CRO 255.255.255.0 ALX 255.255.255.0
access-list 101 permit ip host 10.134.35.59 ALX 255.255.255.0
access-list 101 permit ip host 10.2.133.50 ALX 255.255.255.0
access-list 101 permit tcp CRLCRO 255.255.255.0 host intranet_server eq www
access-list 101 permit tcp any host a.b.c.d eq smtp
access-list 101 permit tcp any host a.b.c.d eq https
access-list 101 permit tcp any host a.b.c.d eq www
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list 101 permit udp any any eq 1701
access-list 101 permit ah any any
access-list 101 deny icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit ip host a.b.c.d any
access-list 101 deny ip any any log
access-list 102 deny tcp any any eq 2745
access-list 102 deny tcp any any eq 4751
access-list 102 deny tcp any any eq 6667
access-list 102 permit ip ALX 255.255.255.0 CRO 255.255.255.0
access-list 102 permit ip host intranet_server CRLCRO 255.255.255.0
access-list 102 permit ip ALX 255.255.255.0 10.157.12.0 255.255.255.0
access-list 102 permit ip ALX 255.255.255.0 host 167.136.35.64
access-list 102 permit ip ALX 255.255.255.0 host 10.134.35.59
access-list 102 permit ip host mail_server host 10.2.133.50
access-list 102 permit ip host mail_server any
access-list 102 permit ip host internet_server any
access-list 102 permit ip host 10.157.14.5 any
access-list 102 deny ip any any log
access-list inside_nat0 permit ip ALX 255.255.255.0 host 10.134.35.59
access-list inside_nat0 permit ip ALX 255.255.255.0 host 10.2.133.50
access-list inside_nat0 permit ip host intranet_server CRLCRO 255.255.255.0
access-list inside_nat0 permit ip host intranet_server ALX 255.255.255.192
access-list inside_nat0 permit ip host mail_server ALX 255.255.255.192
access-list inside_nat0 permit ip ALX 255.255.255.0 CRO 255.255.255.0
access-list inside_nat0 permit ip ALX 255.255.255.0 192.168.222.0 255.255.255.192
access-list dmz-in permit ip 10.157.12.0 255.255.255.0 host 10.157.14.54
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq smtp
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq www
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq telnet
access-list dmz_in deny ip 10.157.12.0 255.255.255.0 ALX 255.255.255.0
access-list dmz_in permit ip any any
pager lines 24
logging on
logging console debugging
logging trap debugging
logging host inside intranet_server
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.d 255.255.255.0
ip address inside 10.157.14.5 255.255.255.0
ip address dmz1 10.157.12.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ALX 10.157.14.30-10.157.14.40
ip local pool CRO 192.168.222.1-192.168.222.40
arp timeout 14400
global (outside) 1 a.b.c.d
global (inside) 1 10.157.14.2-10.157.14.4
nat (inside) 0 access-list inside_nat0
nat (inside) 1 ALX 255.255.255.0 0 0
static (inside,outside) a.b.c.d mail_server netmask 255.255.255.255 0 0
static (inside,dmz1) ALX ALX netmask 255.255.255.0 0 0
access-group 101 in interface outside
access-group 102 in interface inside
access-group dmz_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 ALX_router 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ALX 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
....
0
 
lrmooreCommented:
Your inside acl 102 does not permit traffic from ALX to 10.157.12.0
add
 no access-list 120 deny ip any any log
 access-list 120 permit ip host 10.157.14.54 10.157.12.0 255.255.255.0
 access-list 120 deny ip any any log

Since you have the log keyword, you can look at your logs and see that this traffic was being denied.
0
 
Ehab SalemAuthor Commented:
this line:
access-list 102 permit ip ALX 255.255.255.0 10.157.12.0 255.255.255.0
Allows ip from ALX (10.157.14.0) to 10.157.12.0
0
 
lrmooreCommented:
OK, I missed that.
Do you get any hitcounters on that access-list rule? Use show access-list

>I tried connecting my computer with IP 10.157.12.2 and it connected to the router (10.157.12.1), but could not make connection to PIX.

I'm confused. How did you connect to 12.1 if you were trying to connect to 12.2? If you have a router in the DMZ that you are trying to telnet to, what is its routing set for? Does it have a route back to the PIX for ALX subnet?
 ip route 10.157.14.0 255.255.255.0 10.157.2.5  

0
 
Ehab SalemAuthor Commented:
For testing purpose I gave my computer the IP 10.157.12.2 and connected directly to the switch were both the PIX and the router (10.157.12.1) are connected. I was able to telnet the router, but could not make any connection to the PIX.
The router is used to connect a leased line to another branch, and yes there is a route back on the router.
Hope that make things clear.
0
 
lrmooreCommented:
What did you give your computer as a default gateway?
By default you cannot telnet to the PIX unless you add that host
telnet 10.157.12.2 255.255.255.255 dmz1

You never addressed the question of the whether or not the switch is properly configured with VLAN's and the port connecting to the PIX is a trunk port.
0
 
Ehab SalemAuthor Commented:
I gave it 10.157.12.1
I don't know about trunking, but the switch supports VLANs.
The PIX and the router are connected to the same switch (3Com 4950), both the interfaces of the router are working (one is physical - primary) and the second is logical (secondary), so it is only one port having 2 IPs.
0
 
Ehab SalemAuthor Commented:
Is there a difference between a router and a PIX having 2 IP on one physical interface?
I mean if the router's 2 IP are working, should the PIX work as well?
0
 
lrmooreCommented:
NO.
There is a huge difference between vlan tagged sub interfaces and secondary IP addresses on an interface. You cannot put a secondary IP on the PIX like you can a router.
0
 
Ehab SalemAuthor Commented:
It looks like a switch issue then.
Do you know how to setup the 3Com 4950 switch for trunck port?
0
 
Ehab SalemAuthor Commented:
I saw on EE a posting that uses:
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
...
Would that solve the problem?
0
 
lrmooreCommented:
Yes, it is a switch problem, as I spoke about in my very first post above.
Unless you have defined vlan2 and vlan3 on the switch and vlan2 is untagged (native), that PIX configuration will not solve your problem.
What you have will work if you get the switch configured correctly.

No, I don't know anything about how to setup the 3com switch.
0
 
Ehab SalemAuthor Commented:
My last question:
what is the different between:
interface ethernet1 vlan2 logical (alone)
and
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
I download a SW from 3Com (network Director) to make the VLANs on the switch.
0
 
Ehab SalemAuthor Commented:
Irmoore:
Thanks a lot for your help.
I managed to make the VLANs on the switch using the mentioned software and it worked fine.
0
 
Ehab SalemAuthor Commented:
I am facing another problem that I will post in a different question.
VPN clients are not able to connect!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now