Link to home
Create AccountLog in
Avatar of rogue028
rogue028

asked on

two pix firewalls same subnet

I have a network with two pix firewalls due to the fact we ran out of ip addresses.  The first pix works fine (the original one).  The second one connects to the internet but when I plug it into my switch I can no longer connect to the internet.  I do change my default gateway on my pc to point to the second pix.  It looks like this:
 
                                        DSL                                    DSL
                                            |                                          |
                                    original pix                               new pix
                                   192.168.1.1                          192.168.1.2    
                                           |                                           |
                                           \                                        /
                                             \                                  /
                                                 cisco 2950 switch
                                                      192.168.1.8
                                                              |
                                                              |
              PC with gateway                                                    PC with gateway
                192.168.1.1                                                             192.168.1.2
               (works fine)                                                            (no internet)

I'm needing to allow a vendor in to my network to access another device on my network hanging off my switch.  Any help with what I'm missing if this is even possible would be appreciated.  
                                           
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Hi,

did you tried that ip address collused with a PC on the network?
On the new pix, do you have internet connectivity.    On the PIX CLI, can you ping outside to 4.2.2.2?   Can you ping inside to 192.168.1.8?
Check the new pix, when a machine tries to go outbound, you should see an XLATE entry for the outbound traffic using SHOW XLATE.   Do you see this?  
Do a SHOW LOGGING to see if any packets are dropped due to ACL or something.... anything here?
Avatar of rogue028
rogue028

ASKER

both PCs are on the network.  The one with the gateway of 192.168.1.2 won't connect to the internet.  
What were the results of the questions above ?
If I plug into the ethernet port defined at inside on the new pix 192.168.1.2 I have internet connectivity.  When I plug the switch into the config, I lose pdm access.  I don't have the telnet password.  
Mike, going to run commands now.  
You are correct, I'm getting blocked.  Let me examine my rules.  
We could try a policy based map to force traffic to the new pix and see if that works.

conf t
access-list 1 permit ip <ip-address-of-pc-to-go-out-new-pix>

route-map New-Pix
match ip address 1
set ip next hop 192.168.1.2

interface vlan 1 (or whatever is the vlan 192.168.1.x is configured)
ip policy route-map New-Pix

end

Give it a try now and see if the PC can get out.





Do the commands I suggested on the 2950 switch, plus clear the arp cache.

clear arp
[confirm] Y
There is a vpn setup on the old pix so I can't make any changes that would interfere with traffic going to it.   I still can't access my new pix using the pdm.  Maybe I need to reload.  
what shows the "sh arp" from the switch?

Topdavis: The PBR not compatible command with 2950!

Best regards,
Istvan
I have entries for 192.168.1.6
192.168.1.8 (the switch)
192.168.1.54
192.168.1.246
192.168.1.247
I just realized I can ping the internet from my pix, I can ping the pix from my lan, but I cannot ping my lan from my pix.  This is all referring to my new pix.  
show running

: Saved

:

PIX Version 8.0(4)
hostname pixfirewallnew
names

interface Ethernet0
 nameif outside
 security-level 0

 pppoe client vpdn group attnetwork
 ip address pppoe setroute

interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.39.127.2 255.255.255.0

interface Ethernet2
 nameif mgt
 security-level 0
 ip address 192.168.1.1 255.255.255.0
             
ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any

           
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgt 1500
no failover

icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
asdm history enable

arp timeout 14400
global (outside) 101 99.115.xx.239 netmask 255.255.255.224
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface mgt

route mgt 10.39.127.0 255.255.255.0 151.164.183.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

http server enable
         
http 192.168.1.0 255.255.255.0 mgt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

vpdn group attnetwork request dialout pppoe
vpdn group attnetwork localname anbtxmp@att.net
vpdn group attnetwork ppp authentication pap
vpdn username someting@att.net password *********

dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd address 192.168.1.100-192.168.1.100 mgt
dhcpd enable mgt

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp

service-policy global_policy global
prompt hostname context
           

pixfirewallnew#
Just a question: did you by any change switch the addresses of the inside and mgt interface?

interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.39.127.2 255.255.255.0

interface Ethernet2
 nameif mgt
 security-level 0
 ip address 192.168.1.1 255.255.255.0


Looks to me it should be the other way around (?)
@ ikalmar - Duh, you're right, 2950 is layer 2 only...
yes, I did switch the interfaces.  I realized I had my mgt interface on Ethernet0 which is normaly the inside interface and I want to try to keep things ordered.  If I buy a Cisco 3550 which I understand is a Layer 3 switch can I enable a VLAN on it and then route between the two networks.  I'm trying to install an intrusion detection system which needs to monitor network traffic but that is the segment I am out if ip addresses on.  The IDS will be remotely managed so they will need to connect via the new pix.  
Will a Cisco WS-C3550-24-EMI do what I want?  
ASKER CERTIFIED SOLUTION
Avatar of topdavis
topdavis
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer