Solved

Routing Issue to another network via Cisco PIX

Posted on 2010-09-20
12
523 Views
Last Modified: 2012-05-10
Please find my running config on Cisco PIX and the attached picture for the network overview.

I just need allow traffic between 192.168.2.0 and 192.168.120.0.

Please help me and thank a lot !
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xx2.3x.4.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xx2.3x.4.28 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.8 eq ftp
access-list 110 extended permit tcp any host xx2.3x.4.8 eq www
access-list 110 extended permit tcp any host xx2.3x.4.8 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.10 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.14 eq www
access-list 110 extended permit tcp any host xx2.3x.4.15 eq www
access-list 110 extended permit tcp any host xx2.3x.4.16 eq www
access-list 110 extended permit tcp any host xx2.3x.4.18 eq www
access-list 110 extended permit tcp any host xx2.3x.4.9 eq https
access-list 110 extended permit tcp any host xx2.3x.4.9 eq smtp
access-list 110 extended permit tcp any host xx2.3x.4.9 eq pop3
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8081
access-list 110 extended permit tcp any host xx2.3x.4.21 eq www
access-list 110 extended permit tcp any host xx2.3x.4.19 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.23 eq www
access-list 110 extended permit tcp any host xx2.3x.4.13 eq www
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx2.3x.4.25-xx2.3x.4.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx2.3x.4.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xx2.3x.4.1 1
route inside 192.168.120.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 set security-association lifetime seconds 28800
crypto map outside_map0 65535 set security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4b9b4e031fcf799faac72b844be3c7df
: end
FW1(config)#

Open in new window

picture1.jpg
0
Comment
Question by:Shakthi777
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm):

add:
same-security permit intra-interface
fixup protocol icmp

If it doesnt work, add the following before trying again, collect the output and post it here.
logging on
logging cons 4
logging mon 4
term mon
debug icmp trace

/Kvistofta
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
HI,

192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
0
 

Author Comment

by:Shakthi777
Comment Utility
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm): YES
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
ikalmar: asa still needs to do hair-pinning.

/Kvistofta
0
 

Author Comment

by:Shakthi777
Comment Utility
ikalmar: here u go...

 and I'll be available after about 2 hours from now to accept your other queries !

Thanks a lot for you great help !
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)

Open in new window

0
 

Author Comment

by:Shakthi777
Comment Utility
plz note it's should be :192.168.120.2
 

I change it below
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)

Open in new window

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 3

Expert Comment

by:pmctrek
Comment Utility
Hi Shakthi777,

The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing.  Both your global and specific NAT pools do not allow for un-natted traffic.

Try adding an additional access-group specifically for the 120.0 route.

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0

Paul
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Hairpinning on the PIX is difficult, but can be done.

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0



0
 

Author Comment

by:Shakthi777
Comment Utility
Hi lrmoore: it's nice to see in this thread..

BTW your option didn't worked.. plz advise and thanks !
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Try adding another static
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0


0
 

Author Closing Comment

by:Shakthi777
Comment Utility
Thanks lrmoore... it worked !

same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
0
 

Author Comment

by:Shakthi777
Comment Utility
ohh it's lost the connectivity from 192.168.220.0 to 192.168.2.0... please advice lrmoore !
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now