• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 568
  • Last Modified:

Routing Issue to another network via Cisco PIX

Please find my running config on Cisco PIX and the attached picture for the network overview.

I just need allow traffic between 192.168.2.0 and 192.168.120.0.

Please help me and thank a lot !
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xx2.3x.4.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xx2.3x.4.28 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.8 eq ftp
access-list 110 extended permit tcp any host xx2.3x.4.8 eq www
access-list 110 extended permit tcp any host xx2.3x.4.8 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.10 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.14 eq www
access-list 110 extended permit tcp any host xx2.3x.4.15 eq www
access-list 110 extended permit tcp any host xx2.3x.4.16 eq www
access-list 110 extended permit tcp any host xx2.3x.4.18 eq www
access-list 110 extended permit tcp any host xx2.3x.4.9 eq https
access-list 110 extended permit tcp any host xx2.3x.4.9 eq smtp
access-list 110 extended permit tcp any host xx2.3x.4.9 eq pop3
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8081
access-list 110 extended permit tcp any host xx2.3x.4.21 eq www
access-list 110 extended permit tcp any host xx2.3x.4.19 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.23 eq www
access-list 110 extended permit tcp any host xx2.3x.4.13 eq www
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx2.3x.4.25-xx2.3x.4.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx2.3x.4.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xx2.3x.4.1 1
route inside 192.168.120.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 set security-association lifetime seconds 28800
crypto map outside_map0 65535 set security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4b9b4e031fcf799faac72b844be3c7df
: end
FW1(config)#

Open in new window

picture1.jpg
0
Shakthi777
Asked:
Shakthi777
  • 6
  • 2
  • 2
  • +2
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm):

add:
same-security permit intra-interface
fixup protocol icmp

If it doesnt work, add the following before trying again, collect the output and post it here.
logging on
logging cons 4
logging mon 4
term mon
debug icmp trace

/Kvistofta
0
 
Istvan KalmarHead of IT Security Division Commented:
HI,

192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
0
 
Shakthi777Author Commented:
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm): YES
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ikalmar: asa still needs to do hair-pinning.

/Kvistofta
0
 
Shakthi777Author Commented:
ikalmar: here u go...

 and I'll be available after about 2 hours from now to accept your other queries !

Thanks a lot for you great help !
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

Open in new window

0
 
Shakthi777Author Commented:
plz note it's should be :192.168.120.2
 

I change it below
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

Open in new window

0
 
pmctrekCommented:
Hi Shakthi777,

The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing.  Both your global and specific NAT pools do not allow for un-natted traffic.

Try adding an additional access-group specifically for the 120.0 route.

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0

Paul
0
 
lrmooreCommented:
Hairpinning on the PIX is difficult, but can be done.

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0



0
 
Shakthi777Author Commented:
Hi lrmoore: it's nice to see in this thread..

BTW your option didn't worked.. plz advise and thanks !
0
 
lrmooreCommented:
Try adding another static
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0


0
 
Shakthi777Author Commented:
Thanks lrmoore... it worked !

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
0
 
Shakthi777Author Commented:
ohh it's lost the connectivity from 192.168.220.0 to 192.168.2.0... please advice lrmoore !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 6
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now