?
Solved

PIX 515 Static Route

Posted on 2009-05-14
1
Medium Priority
?
773 Views
Last Modified: 2012-05-07
Hi Experts -  Cisco amatuer here....

Our current configuration...

PIX 501 (10.10.10.0 network) -->  PIX 515 (10.242.55.0 network) ---> ISP Router

The worstations on the 10.10 network can see the workstations on the 10.242 network, but not the other way around.

Question... can I add a static route to the PIX 515 so the workstations on the 10.242 network can see the workstations on the 10.10 ?  After that what exactly do I have to permit on the one 10.10 network if I want to allow all traffic?  Thanks!
code is below.....
PIX 515
_____________________________
 
 
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .MADZuiaHAg25iU5 encrypted
passwd .MADZuiaHAg25iU5 encrypted
hostname 
domain-name 
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list 120 permit ip host 10.242.55.212 host 192.168.109.76
access-list 120 permit icmp any any
access-list 120 permit ip host 10.242.55.212 host 192.168.25.8
access-list 120 permit ip host 10.242.55.212 host 192.168.25.17
access-list 120 permit ip host 10.242.55.212 host 192.168.25.21
access-list 120 permit ip host 10.242.55.212 host 192.168.25.22
access-list 120 permit ip host 10.242.55.252 host 192.168.25.8
access-list 120 permit ip host 10.242.55.252 host 192.168.25.17
access-list 120 permit ip host 10.242.55.252 host 192.168.25.21
access-list 120 permit ip host 10.242.55.252 host 192.168.25.22
access-list 130 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0
access-list 146 permit ip host 10.242.55.212 host 192.168.25.8
access-list 146 permit ip host 10.242.55.212 host 192.168.25.17
access-list 146 permit ip host 10.242.55.212 host 192.168.25.21
access-list 146 permit ip host 10.242.55.212 host 192.168.25.22
access-list 146 permit ip host 10.242.55.252 host 192.168.25.8
access-list 146 permit ip host 10.242.55.252 host 192.168.25.17
access-list 146 permit ip host 10.242.55.252 host 192.168.25.21
access-list 146 permit ip host 10.242.55.252 host 192.168.25.22
access-list 150 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0
access-list 152 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0
access-list 158 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0
access-list 164 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0
access-list 168 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0
access-list 170 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0
access-list 172 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0
access-list 174 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0
access-list 178 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0
access-list 182 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0
access-list 184 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0
access-list 190 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0
access-list 194 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0
access-list 126 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0
access-list 134 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0
access-list 132 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0
access-list 138 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0
access-list 142 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq https
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ftp
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4555
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ftp-data
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq https
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq www
access-list 110 permit icmp any any
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ssh
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 5156
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4556
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4557
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ssh
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7071
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7072
access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7073
access-list 148 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 131 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list 123 permit ip host 10.242.55.212 host 192.168.109.76
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <<<<<<*******SNIP********>>>>>> 255.255.255.240
ip address inside 10.242.55.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemotePool 20.1.0.1-20.1.0.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.242.55.252 <<<<<<*******SNIP********>>>>>> 255.255.255.255
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4555 10.242.55.253 4555 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ftp 10.242.55.212 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ftp-data 10.242.55.212 ftp-data netmask 255.255.255.255 0
 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> https 10.242.55.212 https netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ssh 10.242.55.212 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4556 10.242.55.253 4556 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4557 10.242.55.253 4557 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 5156 10.242.55.251 5156 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> https 10.242.55.252 https netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> www 10.242.55.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ssh 10.242.55.247 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7071 10.242.55.253 7071 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7072 10.242.55.253 7072 netmask 255.255.255.255 0 0
static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7073 10.242.55.253 7073 netmask 255.255.255.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 66.210.125.145 1
timeout xlate 3:00:00
timeout conn 48:00:00 half-closed 48:00:00 udp 1:30:00 rpc 1:30:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.242.55.100 \polarisPIX515_09172008
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set VPNTranSet esp-3des esp-md5-hmac
crypto ipsec transform-set BCBSRITranSet esp-3des esp-sha-hmac
crypto dynamic-map VPNMap 20 set transform-set VPNTranSet
crypto map VPNMap 23 ipsec-isakmp
 
 
 
<<<<<<*******SNIP********>>>>>>
 
 
 
crypto map VPNMap interface outside
isakmp enable outside
 
 
 
<<<<<<*******SNIP********>>>>>>
 
 
 
 
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
 
isakmp identity address
isakmp keepalive 10
isakmp client configuration address-pool local RemotePool outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup vpn3000-client address-pool RemotePool
vpngroup vpn3000-client split-tunnel 120
vpngroup vpn3000-client idle-time 1800
vpngroup vpn3000-client password ********
telnet 192.168.254.250 255.255.255.255 outside
telnet 10.242.55.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local RemotePool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username ripcpcremote password *********
dhcpd address 10.242.55.100-10.242.55.129 inside
dhcpd dns 68.9.16.30 68.13.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:eb8e0a20834fc70aa65c5bb5e14f9806
: end
 
 
_________________________________
*************************************************
PIX 501
 
 
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password oQN2xHhf4Isjbqqc encrypted
passwd oQN2xHhf4Isjbqqc encrypted
hostname 
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit tcp any host 10.242.55.253 eq 4555
access-list 110 permit tcp any host 10.242.55.253 eq 4556
access-list 110 permit tcp any host 10.242.55.253 eq 4557
access-list 110 permit tcp any host 10.242.55.253 eq 7071
access-list 110 permit tcp any host 10.242.55.253 eq 7072
access-list 110 permit tcp any host 10.242.55.253 eq 7073
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.242.55.253 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 10.242.55.253 4555 10.10.10.200 4555 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.55.253 4556 10.10.10.199 4556 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.55.253 4557 10.10.10.198 4557 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.55.253 7071 10.10.10.198 7071 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.55.253 7072 10.10.10.198 7072 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.55.253 7073 10.10.10.198 7073 netmask 255.255.255.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.242.55.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.10.10.54 PIX501_09172008
floodguard enable
sysopt connection permit-ipsec
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.10.10-10.10.10.137 inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username polaris password encrypted privilege 15
terminal width 80
Cryptochecksum:b6f3299f9c49bad0731fb534df7b443f
: end

Open in new window

0
Comment
Question by:polaris101
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1500 total points
ID: 24384976
The problem is the PIX won't reroute traffic out the same interface using 6.x code.  Even with 7.x/8.x code on the 515, you'll still run into issues due to asymmetric routing.  The best you can do is put static routes on every 10.242 PC for the 10.10.10.0/24 subnet via 10.242.55.253 (501) or NAT the 10.10.10.x hosts to 10.242.55.x hosts in a 1-1 fashion.

If you want 10.10.10.0 to appear as their real addresses.  Route on PC's:

route add 10.10.10.0 mask 255.255.255.0 10.242.55.253 -p

You'll also need to remove the PAT rule on the 501 and change it to identity NAT or NAT exemption.

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Or, you can do 1-1 NAT's for the 10.10.10.x PC's that need to talk to the 10.242.55.x subnet.

tatic (inside,outside) 10.242.55.x 10.10.10.198 netmask 255.255.255.255
tatic (inside,outside) 10.242.55.y 10.10.10.199 netmask 255.255.255.255

You then need to permit the traffic inbound on the 501.

access-list 110 permit ip any any  <--allows all traffic (you can restrict this if desired).
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question