Solved

Routing Issue to another network via Cisco PIX

Posted on 2010-09-20
12
528 Views
Last Modified: 2012-05-10
Please find my running config on Cisco PIX and the attached picture for the network overview.

I just need allow traffic between 192.168.2.0 and 192.168.120.0.

Please help me and thank a lot !
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xx2.3x.4.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xx2.3x.4.28 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.8 eq ftp
access-list 110 extended permit tcp any host xx2.3x.4.8 eq www
access-list 110 extended permit tcp any host xx2.3x.4.8 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.10 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.14 eq www
access-list 110 extended permit tcp any host xx2.3x.4.15 eq www
access-list 110 extended permit tcp any host xx2.3x.4.16 eq www
access-list 110 extended permit tcp any host xx2.3x.4.18 eq www
access-list 110 extended permit tcp any host xx2.3x.4.9 eq https
access-list 110 extended permit tcp any host xx2.3x.4.9 eq smtp
access-list 110 extended permit tcp any host xx2.3x.4.9 eq pop3
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8081
access-list 110 extended permit tcp any host xx2.3x.4.21 eq www
access-list 110 extended permit tcp any host xx2.3x.4.19 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.23 eq www
access-list 110 extended permit tcp any host xx2.3x.4.13 eq www
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx2.3x.4.25-xx2.3x.4.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx2.3x.4.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xx2.3x.4.1 1
route inside 192.168.120.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 set security-association lifetime seconds 28800
crypto map outside_map0 65535 set security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4b9b4e031fcf799faac72b844be3c7df
: end
FW1(config)#

Open in new window

picture1.jpg
0
Comment
Question by:Shakthi777
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33715430
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm):

add:
same-security permit intra-interface
fixup protocol icmp

If it doesnt work, add the following before trying again, collect the output and post it here.
logging on
logging cons 4
logging mon 4
term mon
debug icmp trace

/Kvistofta
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33715448
HI,

192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
0
 

Author Comment

by:Shakthi777
ID: 33715456
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm): YES
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33715480
ikalmar: asa still needs to do hair-pinning.

/Kvistofta
0
 

Author Comment

by:Shakthi777
ID: 33715516
ikalmar: here u go...

 and I'll be available after about 2 hours from now to accept your other queries !

Thanks a lot for you great help !
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

Open in new window

0
 

Author Comment

by:Shakthi777
ID: 33715538
plz note it's should be :192.168.120.2
 

I change it below
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

Open in new window

0
 
LVL 3

Expert Comment

by:pmctrek
ID: 33716128
Hi Shakthi777,

The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing.  Both your global and specific NAT pools do not allow for un-natted traffic.

Try adding an additional access-group specifically for the 120.0 route.

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0

Paul
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33716200
Hairpinning on the PIX is difficult, but can be done.

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0



0
 

Author Comment

by:Shakthi777
ID: 33716482
Hi lrmoore: it's nice to see in this thread..

BTW your option didn't worked.. plz advise and thanks !
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 33717022
Try adding another static
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0


0
 

Author Closing Comment

by:Shakthi777
ID: 33721917
Thanks lrmoore... it worked !

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
0
 

Author Comment

by:Shakthi777
ID: 33722261
ohh it's lost the connectivity from 192.168.220.0 to 192.168.2.0... please advice lrmoore !
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question