Cisco Pix 501 problem routing to multiple internal subnets
Greetings!
I'm having troubles with internal routing with a Pix 501. We currently have 3 remote locations connected via T-1 lines. The main office is a 192.168.10.X subnet, the remote locations are 192.168.20.x, 192.168.30.x, and 192.168.40.x. The main office has a Cisco 3600 (192.168.10.1) that routes the T-1 traffic and the remote offices have 2600s. (192.168.X.1). The main internet connection is an Watchguard X.500 (192.168.10.2) that is used company wide for internet. We have a second internet connection that a certian department (let's call them group B) uses because of high bandwidth needs, this internet connection was previously firewalled with a basic linksys broadband router (192.168.10.254), but we have just replaced it with a PIX 501 because the linksys started failing.
So, current setup...
1) Normal internet users have a default gateway of 192.168.10.1
2) The main 3600 router routes internet traffic to 192.168.10.2
3) Group B uses a default gateway of 192.168.10.254, with static routes for 192.168.20.x, 30.x, and 40.x pointing to 192.168.10.1 (this worked great with the linksys)
The problem is that once i've configured the PIX, group B (all of which are on the 192.168.10.x subnet) could access the internet but could not reach any of the other subnets. I'm not by any means an allstar when i comes to PIX, so i'll post my config with the hope that someone can tell me what i've missed. I dont need any port forwardard or anything fancy, just internet access.
Thanks!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name ACME
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.248
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.13 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.11 1
route inside 192.168.20.0 255.255.255.0 192.168.10.1 1
route inside 192.168.30.0 255.255.255.0 192.168.10.1 1
route inside 192.168.40.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ba678d7e7c9
I'm having troubles with internal routing with a Pix 501. We currently have 3 remote locations connected via T-1 lines. The main office is a 192.168.10.X subnet, the remote locations are 192.168.20.x, 192.168.30.x, and 192.168.40.x. The main office has a Cisco 3600 (192.168.10.1) that routes the T-1 traffic and the remote offices have 2600s. (192.168.X.1). The main internet connection is an Watchguard X.500 (192.168.10.2) that is used company wide for internet. We have a second internet connection that a certian department (let's call them group B) uses because of high bandwidth needs, this internet connection was previously firewalled with a basic linksys broadband router (192.168.10.254), but we have just replaced it with a PIX 501 because the linksys started failing.
So, current setup...
1) Normal internet users have a default gateway of 192.168.10.1
2) The main 3600 router routes internet traffic to 192.168.10.2
3) Group B uses a default gateway of 192.168.10.254, with static routes for 192.168.20.x, 30.x, and 40.x pointing to 192.168.10.1 (this worked great with the linksys)
The problem is that once i've configured the PIX, group B (all of which are on the 192.168.10.x subnet) could access the internet but could not reach any of the other subnets. I'm not by any means an allstar when i comes to PIX, so i'll post my config with the hope that someone can tell me what i've missed. I dont need any port forwardard or anything fancy, just internet access.
Thanks!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name ACME
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.248
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.13 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.11 1
route inside 192.168.20.0 255.255.255.0 192.168.10.1 1
route inside 192.168.30.0 255.255.255.0 192.168.10.1 1
route inside 192.168.40.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ba678d7e7c9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with Raj that the PIX cannot be the local default gateway. All internal hosts must point to 192.168.10.1 as their default gateway.
But, on the 3600 all you need is a default route that points back to the firewall
ip route 0.0.0.0 0.0.0.0 192.168.10.2
You need to keep the route statements that are already on the PIX.
But, on the 3600 all you need is a default route that points back to the firewall
ip route 0.0.0.0 0.0.0.0 192.168.10.2
You need to keep the route statements that are already on the PIX.
But that wouldn't satisfy the workflow he wants, isn't it ?
The conditions are, all the internet traffic exits through 3600 router except if it is from group B, in that case the internet should be through PIX!
Cheers,
Rajesh
The conditions are, all the internet traffic exits through 3600 router except if it is from group B, in that case the internet should be through PIX!
Cheers,
Rajesh
I need to get more coffee.... Let me start over.
Given the current setup, Raj has the right idea and that is to use route-maps on the 3600..
Given the current setup, Raj has the right idea and that is to use route-maps on the 3600..
Then he's back to default route to 3660, PBR on 3660 for Group B internet through PIX.
This will work well if there is some sort of natural division of IP addresses between the two groups even if they're on the same network.
This will work well if there is some sort of natural division of IP addresses between the two groups even if they're on the same network.
ASKER
Wow, and I thought this would be an easy solution - lol.
Ok, the main internet firewall is 192.168.10.2, and the following route is in the 3600: ip route 0.0.0.0 0.0.0.0 192.168.10.2. Everyone in the main office are using the 3600 as thier DG (192.168.10.1) and all remote subnets are using thier 2600s for thier DG witch obviously route to the 3660...everything works fine for them. All of group B is on the main office subnet (192.168.10.x) and they can access internet and main office resources just fine. They cannot access resources on remote subnet, or ping any of the 2600 routers. Like I mentioned before this same setup worked great with the cheapo linksys, but perhaps Rajesh is right...maybe this isnt supported on the PIX. Adding routes to the Windows routing tables would solve the problem, but i'm sure you would all agree that it is not ideal. As far as route-maps, i've thought of that as well but wanted to make sure that I wasn't just mis-configuring something. Seems odd that a $40 linksys can do what a $500 PIX cant.
Ok, the main internet firewall is 192.168.10.2, and the following route is in the 3600: ip route 0.0.0.0 0.0.0.0 192.168.10.2. Everyone in the main office are using the 3600 as thier DG (192.168.10.1) and all remote subnets are using thier 2600s for thier DG witch obviously route to the 3660...everything works fine for them. All of group B is on the main office subnet (192.168.10.x) and they can access internet and main office resources just fine. They cannot access resources on remote subnet, or ping any of the 2600 routers. Like I mentioned before this same setup worked great with the cheapo linksys, but perhaps Rajesh is right...maybe this isnt supported on the PIX. Adding routes to the Windows routing tables would solve the problem, but i'm sure you would all agree that it is not ideal. As far as route-maps, i've thought of that as well but wanted to make sure that I wasn't just mis-configuring something. Seems odd that a $40 linksys can do what a $500 PIX cant.
It's hairpin traffic and it's not supported.
If your IP assignments to Group A and Group B are essentially in two different halves of the subnet, it would be best to have all default route to the 3660 with policy based routing on the 3660 for Group B that says "if traffic originates from these IPs and it's not going to those IPs, send it to the PIX".
If your IP assignments to Group A and Group B are essentially in two different halves of the subnet, it would be best to have all default route to the 3660 with policy based routing on the 3660 for Group B that says "if traffic originates from these IPs and it's not going to those IPs, send it to the PIX".
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
At least if you have the group B in some fashion which can be fit into an access-list then we could go ahead and do it. like say 192.168.10.200 to 254, is there some pattern like that ?
Otherwise static routes. I'm sorry :-(
In future you may want to separate out groupB guys with separate network as well.
Cheers,
Rajesh
Otherwise static routes. I'm sorry :-(
In future you may want to separate out groupB guys with separate network as well.
Cheers,
Rajesh
ASKER
Policy based routing it is. All users workstations are DHCP but i'll add reservations for group b. Thanks for the input guys.
thnx.
Cheers,
Rajesh
Cheers,
Rajesh
PC-A PC-A PC-B PC-B
SWITCH
3660 PIX
| | | |
T1s Internet
If so, you are trying to hairpin (go in and then back out the same interface) traffic on the PIX. Last time I tested, this was not supported (it's been a few years, tho). You can work around this with a layer3 switch or if you have a spare ethernet port on the 3660 hanging the PIX off of that and all traffic flows through to the router first, downstream if it's to a remote or out if it's internet access.