• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1600
  • Last Modified:

Cisco Pix 501 problem routing to multiple internal subnets

Greetings!

I'm having troubles with internal routing with a Pix 501.  We currently have 3 remote locations connected via T-1 lines.  The main office is a 192.168.10.X subnet, the remote locations are 192.168.20.x, 192.168.30.x, and 192.168.40.x.  The main office has a Cisco 3600 (192.168.10.1) that routes the T-1 traffic and the remote offices have 2600s. (192.168.X.1).  The main internet connection is an Watchguard X.500 (192.168.10.2) that is used company wide for internet.  We have a second internet connection that a certian department (let's call them group B) uses because of high bandwidth needs, this internet connection was previously firewalled with a basic linksys broadband router (192.168.10.254), but we have just replaced it with a PIX 501 because the linksys started failing.

So, current setup...
1) Normal internet users have a default gateway of 192.168.10.1
2) The main 3600 router routes internet traffic to 192.168.10.2
3) Group B uses a default gateway of 192.168.10.254, with static routes for 192.168.20.x, 30.x, and 40.x pointing to 192.168.10.1 (this worked great with the linksys)

The problem is that once i've configured the PIX, group B (all of which are on the 192.168.10.x subnet) could access the internet but could not reach any of the other subnets.  I'm not by any means an allstar when i comes to PIX, so i'll post my config with the hope that someone can tell me what i've missed.  I dont need any port forwardard or anything fancy, just internet access.
Thanks!

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name ACME
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.248
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.13 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.11 1
route inside 192.168.20.0 255.255.255.0 192.168.10.1 1
route inside 192.168.30.0 255.255.255.0 192.168.10.1 1
route inside 192.168.40.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ba678d7e7c9bf65b7e0d991a50f72055


0
DMJorgensen
Asked:
DMJorgensen
  • 4
  • 3
  • 3
  • +1
2 Solutions
 
Jan SpringerCommented:
Is this a close representation of the hardware layout with "-A" being group A default route 10.1 (3660 router) and "-B" being group B default route 10.254 (PIX)?

          PC-A                    PC-A                   PC-B              PC-B

                                                       SWITCH

                             3660                                        PIX
                             |    |    |                                          |
                                T1s                                       Internet

If so, you are trying to hairpin (go in and then back out the same interface) traffic on the PIX.  Last time I tested, this was not supported (it's been a few years, tho).  You can work around this with a layer3 switch or if you have a spare ethernet port on the 3660 hanging the PIX off of that and all traffic flows through to the router first, downstream if it's to a remote or out if it's internet access.
0
 
rsivanandanCommented:
So with the linksys you were able to do the routing between because they supported 'ip redirects'

But pix firewall doesn't do the routing for your internal networks. It is not designed to do so.

Now how to check if I'm telling you the truth.

Go to One of the PC belonging to Group B and add a manual route on the box as;

route add 192.168.20.x mask 255.255.255.0 192.168.10.1

Then try accessing that subnet, you'll be able to access.

So to solve this issue, you need to have all the machines company wide to have the default gateway as 192.168.10.1 and use ip redirect in route-map statements on Cisco 3600 so that the internet traffic is directed as desired.

Now for that there needs to be some way to idenfity from where the traffic is coming from. Is group B having separate subnet ? If so then it is easy; You create 2 route map entries in Cisco 3600 router as below;

route-map <name> 10
match ip-address 1
set ip next-hop 192.168.10.1

route-map <name> 20
match ip-address  2
set ip next-hop 192.168.10.254

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 permit <group B IP Range> 0.0.0.255

So essentially the route-map deflects the traffic based on where it is originated from.

Or else you could try running routing protocol between PIX and Cisco 3600 router but I've never done it myself.

Cheers,
Rajesh
0
 
lrmooreCommented:
Agree with Raj that the PIX cannot be the local default gateway. All internal hosts must point to 192.168.10.1 as their default gateway.
But, on the 3600 all you need is a default route that points back to the firewall
 ip route 0.0.0.0 0.0.0.0 192.168.10.2

You need to keep the route statements that are already on the PIX.

0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
rsivanandanCommented:
But that wouldn't satisfy the workflow he wants, isn't it ?

The conditions are, all the internet traffic exits through 3600 router except if it is from group B, in that case the internet should be through PIX!

Cheers,
Rajesh
0
 
lrmooreCommented:
I need to get more coffee....  Let me start over.
Given the current setup, Raj has the right idea and that is to use route-maps on the 3600..
0
 
Jan SpringerCommented:
Then he's back to default route to 3660, PBR on 3660 for Group B internet through PIX.

This will work well if there is some sort of natural division of IP addresses between the two groups even if they're on the same network.
0
 
DMJorgensenAuthor Commented:
Wow, and I thought this would be an easy solution - lol.  
Ok, the main internet firewall is 192.168.10.2, and the following route is in the 3600: ip route 0.0.0.0 0.0.0.0 192.168.10.2.  Everyone in the main office are using the 3600 as thier DG (192.168.10.1) and all remote subnets are using thier 2600s for thier DG witch obviously route to the 3660...everything works fine for them.  All of group B is on the main office subnet (192.168.10.x) and they can access internet and main office resources just fine.  They cannot access resources on remote subnet, or ping any of the 2600 routers.  Like I mentioned before this same setup worked great with the cheapo linksys, but perhaps Rajesh is right...maybe this isnt supported on the PIX.  Adding routes to the Windows routing tables would solve the problem,  but i'm sure you would all agree that it is not ideal.  As far as route-maps, i've thought of that as well but wanted to make sure that I wasn't just mis-configuring something.  Seems odd that a $40 linksys can do what a $500 PIX cant.
0
 
Jan SpringerCommented:
It's hairpin traffic and it's not supported.

If your IP assignments to Group A and Group B are essentially in two different halves of the subnet, it would be best to have all default route to the 3660 with policy based routing on the 3660 for Group B that says "if traffic originates from these IPs and it's not going to those IPs, send it to the PIX".
0
 
lrmooreCommented:
>Seems odd that a $40 linksys can do what a $500 PIX cant.
Is is a security feature and part of the design of the PIX. There is no comparison when it comes to features, functions, capabilities and security between a $40 home broadband router and a PIX FW.

2 options -
1. Enable Policy Based routing on the 3600. It's not that difficult. Use access-lists to define group B, and tell the router that traffic matching that acl goes to the PIX.
2. Set a static permanent route on all group B desktops for remote subnets and default to the PIX
 route delete 0.0.0.0
 route add -p 0.0.0.0 mask 0.0.0.0 192.168.10.254
 route add -p 192.168.20.0 mask 255.255.255.0 192.168.10.1
 route add -p 192.168.30.0 mask 255.255.255.0 192.168.10.1
 route add -p 192.168.240.0 mask 255.255.255.0 192.168.10.1
 
This can be done with login scripts, or just a quick batch file to email to group B users and have them execute.
0
 
rsivanandanCommented:
At least if you have the group B in some fashion which can be fit into an access-list then we could go ahead and do it. like say 192.168.10.200 to 254, is there some pattern like that ?

Otherwise static routes. I'm sorry :-(

In future you may want to separate out groupB guys with separate network as well.

Cheers,
Rajesh
0
 
DMJorgensenAuthor Commented:
Policy based routing it is.  All users workstations are DHCP but i'll add reservations for group b.  Thanks for the input guys.
0
 
rsivanandanCommented:
thnx.

Cheers,
Rajesh
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now