Solved

Routing Issue to another network via Cisco PIX

Posted on 2010-09-20
12
532 Views
Last Modified: 2012-05-10
Please find my running config on Cisco PIX and the attached picture for the network overview.

I just need allow traffic between 192.168.2.0 and 192.168.120.0.

Please help me and thank a lot !
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xx2.3x.4.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xx2.3x.4.28 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.8 eq ftp
access-list 110 extended permit tcp any host xx2.3x.4.8 eq www
access-list 110 extended permit tcp any host xx2.3x.4.8 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.10 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.14 eq www
access-list 110 extended permit tcp any host xx2.3x.4.15 eq www
access-list 110 extended permit tcp any host xx2.3x.4.16 eq www
access-list 110 extended permit tcp any host xx2.3x.4.18 eq www
access-list 110 extended permit tcp any host xx2.3x.4.9 eq https
access-list 110 extended permit tcp any host xx2.3x.4.9 eq smtp
access-list 110 extended permit tcp any host xx2.3x.4.9 eq pop3
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8081
access-list 110 extended permit tcp any host xx2.3x.4.21 eq www
access-list 110 extended permit tcp any host xx2.3x.4.19 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.23 eq www
access-list 110 extended permit tcp any host xx2.3x.4.13 eq www
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx2.3x.4.25-xx2.3x.4.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx2.3x.4.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xx2.3x.4.1 1
route inside 192.168.120.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 set security-association lifetime seconds 28800
crypto map outside_map0 65535 set security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4b9b4e031fcf799faac72b844be3c7df
: end
FW1(config)#

Open in new window

picture1.jpg
0
Comment
Question by:Shakthi777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33715430
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm):

add:
same-security permit intra-interface
fixup protocol icmp

If it doesnt work, add the following before trying again, collect the output and post it here.
logging on
logging cons 4
logging mon 4
term mon
debug icmp trace

/Kvistofta
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33715448
HI,

192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
0
 

Author Comment

by:Shakthi777
ID: 33715456
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm): YES
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33715480
ikalmar: asa still needs to do hair-pinning.

/Kvistofta
0
 

Author Comment

by:Shakthi777
ID: 33715516
ikalmar: here u go...

 and I'll be available after about 2 hours from now to accept your other queries !

Thanks a lot for you great help !
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

Open in new window

0
 

Author Comment

by:Shakthi777
ID: 33715538
plz note it's should be :192.168.120.2
 

I change it below
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

Open in new window

0
 
LVL 3

Expert Comment

by:pmctrek
ID: 33716128
Hi Shakthi777,

The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing.  Both your global and specific NAT pools do not allow for un-natted traffic.

Try adding an additional access-group specifically for the 120.0 route.

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0

Paul
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33716200
Hairpinning on the PIX is difficult, but can be done.

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0



0
 

Author Comment

by:Shakthi777
ID: 33716482
Hi lrmoore: it's nice to see in this thread..

BTW your option didn't worked.. plz advise and thanks !
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 33717022
Try adding another static
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0


0
 

Author Closing Comment

by:Shakthi777
ID: 33721917
Thanks lrmoore... it worked !

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
0
 

Author Comment

by:Shakthi777
ID: 33722261
ohh it's lost the connectivity from 192.168.220.0 to 192.168.2.0... please advice lrmoore !
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question