rogue028
asked on
two pix firewalls same subnet
I have a network with two pix firewalls due to the fact we ran out of ip addresses. The first pix works fine (the original one). The second one connects to the internet but when I plug it into my switch I can no longer connect to the internet. I do change my default gateway on my pc to point to the second pix. It looks like this:
DSL DSL
| |
original pix new pix
192.168.1.1 192.168.1.2
| |
\ /
\ /
cisco 2950 switch
192.168.1.8
|
|
PC with gateway PC with gateway
192.168.1.1 192.168.1.2
(works fine) (no internet)
I'm needing to allow a vendor in to my network to access another device on my network hanging off my switch. Any help with what I'm missing if this is even possible would be appreciated.
DSL DSL
| |
original pix new pix
192.168.1.1 192.168.1.2
| |
\ /
\ /
cisco 2950 switch
192.168.1.8
|
|
PC with gateway PC with gateway
192.168.1.1 192.168.1.2
(works fine) (no internet)
I'm needing to allow a vendor in to my network to access another device on my network hanging off my switch. Any help with what I'm missing if this is even possible would be appreciated.
On the new pix, do you have internet connectivity. On the PIX CLI, can you ping outside to 4.2.2.2? Can you ping inside to 192.168.1.8?
Check the new pix, when a machine tries to go outbound, you should see an XLATE entry for the outbound traffic using SHOW XLATE. Do you see this?
Do a SHOW LOGGING to see if any packets are dropped due to ACL or something.... anything here?
Check the new pix, when a machine tries to go outbound, you should see an XLATE entry for the outbound traffic using SHOW XLATE. Do you see this?
Do a SHOW LOGGING to see if any packets are dropped due to ACL or something.... anything here?
ASKER
both PCs are on the network. The one with the gateway of 192.168.1.2 won't connect to the internet.
What were the results of the questions above ?
ASKER
If I plug into the ethernet port defined at inside on the new pix 192.168.1.2 I have internet connectivity. When I plug the switch into the config, I lose pdm access. I don't have the telnet password.
ASKER
Mike, going to run commands now.
ASKER
You are correct, I'm getting blocked. Let me examine my rules.
We could try a policy based map to force traffic to the new pix and see if that works.
conf t
access-list 1 permit ip <ip-address-of-pc-to-go-ou t-new-pix>
route-map New-Pix
match ip address 1
set ip next hop 192.168.1.2
interface vlan 1 (or whatever is the vlan 192.168.1.x is configured)
ip policy route-map New-Pix
end
Give it a try now and see if the PC can get out.
conf t
access-list 1 permit ip <ip-address-of-pc-to-go-ou
route-map New-Pix
match ip address 1
set ip next hop 192.168.1.2
interface vlan 1 (or whatever is the vlan 192.168.1.x is configured)
ip policy route-map New-Pix
end
Give it a try now and see if the PC can get out.
Do the commands I suggested on the 2950 switch, plus clear the arp cache.
clear arp
[confirm] Y
clear arp
[confirm] Y
ASKER
There is a vpn setup on the old pix so I can't make any changes that would interfere with traffic going to it. I still can't access my new pix using the pdm. Maybe I need to reload.
what shows the "sh arp" from the switch?
Topdavis: The PBR not compatible command with 2950!
Best regards,
Istvan
Topdavis: The PBR not compatible command with 2950!
Best regards,
Istvan
ASKER
I have entries for 192.168.1.6
192.168.1.8 (the switch)
192.168.1.54
192.168.1.246
192.168.1.247
192.168.1.8 (the switch)
192.168.1.54
192.168.1.246
192.168.1.247
ASKER
I just realized I can ping the internet from my pix, I can ping the pix from my lan, but I cannot ping my lan from my pix. This is all referring to my new pix.
ASKER
show running
: Saved
:
PIX Version 8.0(4)
hostname pixfirewallnew
names
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group attnetwork
ip address pppoe setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.39.127.2 255.255.255.0
interface Ethernet2
nameif mgt
security-level 0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 101 99.115.xx.239 netmask 255.255.255.224
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface mgt
route mgt 10.39.127.0 255.255.255.0 151.164.183.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 mgt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group attnetwork request dialout pppoe
vpdn group attnetwork localname anbtxmp@att.net
vpdn group attnetwork ppp authentication pap
vpdn username someting@att.net password *********
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd address 192.168.1.100-192.168.1.10 0 mgt
dhcpd enable mgt
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
pixfirewallnew#
: Saved
:
PIX Version 8.0(4)
hostname pixfirewallnew
names
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group attnetwork
ip address pppoe setroute
interface Ethernet1
nameif inside
security-level 100
ip address 10.39.127.2 255.255.255.0
interface Ethernet2
nameif mgt
security-level 0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 101 99.115.xx.239 netmask 255.255.255.224
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface mgt
route mgt 10.39.127.0 255.255.255.0 151.164.183.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 mgt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group attnetwork request dialout pppoe
vpdn group attnetwork localname anbtxmp@att.net
vpdn group attnetwork ppp authentication pap
vpdn username someting@att.net password *********
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd address 192.168.1.100-192.168.1.10
dhcpd enable mgt
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
pixfirewallnew#
Just a question: did you by any change switch the addresses of the inside and mgt interface?
interface Ethernet1
nameif inside
security-level 100
ip address 10.39.127.2 255.255.255.0
interface Ethernet2
nameif mgt
security-level 0
ip address 192.168.1.1 255.255.255.0
Looks to me it should be the other way around (?)
interface Ethernet1
nameif inside
security-level 100
ip address 10.39.127.2 255.255.255.0
interface Ethernet2
nameif mgt
security-level 0
ip address 192.168.1.1 255.255.255.0
Looks to me it should be the other way around (?)
@ ikalmar - Duh, you're right, 2950 is layer 2 only...
ASKER
yes, I did switch the interfaces. I realized I had my mgt interface on Ethernet0 which is normaly the inside interface and I want to try to keep things ordered. If I buy a Cisco 3550 which I understand is a Layer 3 switch can I enable a VLAN on it and then route between the two networks. I'm trying to install an intrusion detection system which needs to monitor network traffic but that is the segment I am out if ip addresses on. The IDS will be remotely managed so they will need to connect via the new pix.
ASKER
Will a Cisco WS-C3550-24-EMI do what I want?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
did you tried that ip address collused with a PC on the network?