Solved

PIX 515 Static Route

Posted on 2009-05-14
1
716 Views
Last Modified: 2012-05-07
Hi Experts -  Cisco amatuer here....

Our current configuration...

PIX 501 (10.10.10.0 network) -->  PIX 515 (10.242.55.0 network) ---> ISP Router

The worstations on the 10.10 network can see the workstations on the 10.242 network, but not the other way around.

Question... can I add a static route to the PIX 515 so the workstations on the 10.242 network can see the workstations on the 10.10 ?  After that what exactly do I have to permit on the one 10.10 network if I want to allow all traffic?  Thanks!
code is below.....
PIX 515

_____________________________
 
 

PIX Version 6.3(4)

interface ethernet0 10full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password .MADZuiaHAg25iU5 encrypted

passwd .MADZuiaHAg25iU5 encrypted

hostname 

domain-name 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list 120 permit ip host 10.242.55.212 host 192.168.109.76

access-list 120 permit icmp any any

access-list 120 permit ip host 10.242.55.212 host 192.168.25.8

access-list 120 permit ip host 10.242.55.212 host 192.168.25.17

access-list 120 permit ip host 10.242.55.212 host 192.168.25.21

access-list 120 permit ip host 10.242.55.212 host 192.168.25.22

access-list 120 permit ip host 10.242.55.252 host 192.168.25.8

access-list 120 permit ip host 10.242.55.252 host 192.168.25.17

access-list 120 permit ip host 10.242.55.252 host 192.168.25.21

access-list 120 permit ip host 10.242.55.252 host 192.168.25.22

access-list 130 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0

access-list 146 permit ip host 10.242.55.212 host 192.168.25.8

access-list 146 permit ip host 10.242.55.212 host 192.168.25.17

access-list 146 permit ip host 10.242.55.212 host 192.168.25.21

access-list 146 permit ip host 10.242.55.212 host 192.168.25.22

access-list 146 permit ip host 10.242.55.252 host 192.168.25.8

access-list 146 permit ip host 10.242.55.252 host 192.168.25.17

access-list 146 permit ip host 10.242.55.252 host 192.168.25.21

access-list 146 permit ip host 10.242.55.252 host 192.168.25.22

access-list 150 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0

access-list 152 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0

access-list 158 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0

access-list 164 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0

access-list 168 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0

access-list 170 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0

access-list 172 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0

access-list 174 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0

access-list 178 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0

access-list 182 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0

access-list 184 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0

access-list 190 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0

access-list 194 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0

access-list 126 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0

access-list 134 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0

access-list 132 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0

access-list 138 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0

access-list 142 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq https

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ftp

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4555

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ftp-data

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq https

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq www

access-list 110 permit icmp any any

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ssh

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 5156

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4556

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 4557

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq ssh

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7071

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7072

access-list 110 permit tcp any host <<<<<<*******SNIP********>>>>>> eq 7073

access-list 148 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list 131 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list 123 permit ip host 10.242.55.212 host 192.168.109.76

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside <<<<<<*******SNIP********>>>>>> 255.255.255.240

ip address inside 10.242.55.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool RemotePool 20.1.0.1-20.1.0.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 10.242.55.252 <<<<<<*******SNIP********>>>>>> 255.255.255.255

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4555 10.242.55.253 4555 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ftp 10.242.55.212 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ftp-data 10.242.55.212 ftp-data netmask 255.255.255.255 0

 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> https 10.242.55.212 https netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ssh 10.242.55.212 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4556 10.242.55.253 4556 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 4557 10.242.55.253 4557 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 5156 10.242.55.251 5156 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> https 10.242.55.252 https netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> www 10.242.55.252 www netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> ssh 10.242.55.247 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7071 10.242.55.253 7071 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7072 10.242.55.253 7072 netmask 255.255.255.255 0 0

static (inside,outside) tcp <<<<<<*******SNIP********>>>>>> 7073 10.242.55.253 7073 netmask 255.255.255.255 0 0

access-group 110 in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 66.210.125.145 1

timeout xlate 3:00:00

timeout conn 48:00:00 half-closed 48:00:00 udp 1:30:00 rpc 1:30:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.242.55.100 \polarisPIX515_09172008

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set VPNTranSet esp-3des esp-md5-hmac

crypto ipsec transform-set BCBSRITranSet esp-3des esp-sha-hmac

crypto dynamic-map VPNMap 20 set transform-set VPNTranSet

crypto map VPNMap 23 ipsec-isakmp
 
 
 

<<<<<<*******SNIP********>>>>>>
 
 
 

crypto map VPNMap interface outside

isakmp enable outside
 
 
 

<<<<<<*******SNIP********>>>>>>
 
 
 
 

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
 

isakmp identity address

isakmp keepalive 10

isakmp client configuration address-pool local RemotePool outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

vpngroup vpn3000-client address-pool RemotePool

vpngroup vpn3000-client split-tunnel 120

vpngroup vpn3000-client idle-time 1800

vpngroup vpn3000-client password ********

telnet 192.168.254.250 255.255.255.255 outside

telnet 10.242.55.0 255.255.255.0 inside

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 60

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local RemotePool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username ripcpcremote password *********

dhcpd address 10.242.55.100-10.242.55.129 inside

dhcpd dns 68.9.16.30 68.13.16.30

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:eb8e0a20834fc70aa65c5bb5e14f9806

: end
 
 

_________________________________

*************************************************

PIX 501
 
 

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password oQN2xHhf4Isjbqqc encrypted

passwd oQN2xHhf4Isjbqqc encrypted

hostname 

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 110 permit tcp any host 10.242.55.253 eq 4555

access-list 110 permit tcp any host 10.242.55.253 eq 4556

access-list 110 permit tcp any host 10.242.55.253 eq 4557

access-list 110 permit tcp any host 10.242.55.253 eq 7071

access-list 110 permit tcp any host 10.242.55.253 eq 7072

access-list 110 permit tcp any host 10.242.55.253 eq 7073

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.242.55.253 255.255.255.0

ip address inside 10.10.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 10.242.55.253 4555 10.10.10.200 4555 netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.242.55.253 4556 10.10.10.199 4556 netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.242.55.253 4557 10.10.10.198 4557 netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.242.55.253 7071 10.10.10.198 7071 netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.242.55.253 7072 10.10.10.198 7072 netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.242.55.253 7073 10.10.10.198 7073 netmask 255.255.255.255 0 0

access-group 110 in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 10.242.55.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.10.10.54 PIX501_09172008

floodguard enable

sysopt connection permit-ipsec

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.10.10.10-10.10.10.137 inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username polaris password encrypted privilege 15

terminal width 80

Cryptochecksum:b6f3299f9c49bad0731fb534df7b443f

: end

Open in new window

0
Comment
Question by:polaris101
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
The problem is the PIX won't reroute traffic out the same interface using 6.x code.  Even with 7.x/8.x code on the 515, you'll still run into issues due to asymmetric routing.  The best you can do is put static routes on every 10.242 PC for the 10.10.10.0/24 subnet via 10.242.55.253 (501) or NAT the 10.10.10.x hosts to 10.242.55.x hosts in a 1-1 fashion.

If you want 10.10.10.0 to appear as their real addresses.  Route on PC's:

route add 10.10.10.0 mask 255.255.255.0 10.242.55.253 -p

You'll also need to remove the PAT rule on the 501 and change it to identity NAT or NAT exemption.

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Or, you can do 1-1 NAT's for the 10.10.10.x PC's that need to talk to the 10.242.55.x subnet.

tatic (inside,outside) 10.242.55.x 10.10.10.198 netmask 255.255.255.255
tatic (inside,outside) 10.242.55.y 10.10.10.199 netmask 255.255.255.255

You then need to permit the traffic inbound on the 501.

access-list 110 permit ip any any  <--allows all traffic (you can restrict this if desired).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now