[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

Pix 515 routing issue

We have a lab that we want to isolate on the network using a PIX 515.   It's going to help us filter all the traffice to and from the lab.

Right now, we can't ping from inside this lab to the outside.  Any help would be greatly appreciated.

Also having trouble telneting from the outside interface.  I'm aware that SSH is preferred.  I just want to know that I can setup telnet effectively.  Seems I'm missing some part of my understanding.


pix> en
Password: *********
pix# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 Students security99
nameif ethernet2 intf2 security4
enable password  encrypted
passwd encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu Students 1500
mtu intf2 1500
ip address outside x.x.0.18 255.255.252.0
ip address Students x.x.5.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (Students) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Students
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd address x.x.5.2-x.x.5.150 Students
dhcpd dns x.x.0.48 255.255.252.0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sermetrohq
dhcpd enable Students
username xxxx password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxx
: end
pix#
pix# show route
        outside x.x.0.0 255.255.252.0 x.x.0.18 1 CONNECT static
        Students x.x.5.0 255.255.255.0 x.x.5.1 1 CONNECT static
pix#
0
egalois
Asked:
egalois
  • 10
  • 5
  • 3
2 Solutions
 
MikeKaneCommented:
You need a default route outside

route outside 0.0.0.0 0.0.0.0 <ip address of outside Gateway>


Also, make sure that from the PIX command line that you can ping to an ip address on the outside and a host on the inside.  

0
 
jjmartineziiiCommented:
Not 100% sure on the pix but on the ASA, you can only telnet from the inside interface. SSH must be used for the outside and DMZ.

MikeKane is correct, you are missing your routing commands.
0
 
egaloisAuthor Commented:
added the route outside connection, Still not working...

pix# show route
        outside 0.0.0.0 0.0.0.0 x.x.0.18 1 OTHER static
        outside x.x.0.0 255.255.252.0 x.x.0.18 1 CONNECT static
        Students x.x.5.0 255.255.255.0 x.x.5.1 1 CONNECT static
pix#
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
egaloisAuthor Commented:
ip address outside 192.168.0.18 255.255.252.0
ip address Students 192.168.5.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (Students) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.0.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
0
 
jjmartineziiiCommented:
Does the 192.168.0.0 network know how to get to 192.168.5.1 ?
0
 
egaloisAuthor Commented:
192.168.5.1 doesn't respond to pings.  Maybe I should add a static mapping?
0
 
jjmartineziiiCommented:
get into the next hop after the asa and see if there is route under "show ip route" that points 192.168.5.1 traffic to your asa.
0
 
egaloisAuthor Commented:
StudentPix inside interface: 192.168.5.1
StudentPix outside interface: 192.168.0.18

MainPix inside interface: 192.168.0.2
MainPix inside interface: 192.168.0.1

so command to enter on my mainpix (next hop) would be...  

MainPix (config) # route inside 192.168.5.1 255.255.255.0 192.168.0.18 255.255.252.0 1

is this correct?
0
 
MikeKaneCommented:
I just tried catching up on this thread....  I'm not following the layout here.... especially how the 'Students' Zone fits into this.    I see a Students Zone on the ASA, but the IP is blocked off.   However, later I see a students inside/outside IP connecting to another PIX?  

Could I ask for a simple network diagram showing where each zone sits and the upstream/downstream IP subnets....
0
 
egaloisAuthor Commented:
network diagram network diagram
0
 
MikeKaneCommented:
Ok now I understand....       I think you have a fundamental design issue with this layout.    

Now, I am assuming that the "Staff computers" are more important than the "Student Lab" computers.  Is that correct?  
If the answer is 'yes' then I want to point out the following.   The Student Pix places the 192.168.5.0 network on the 'inside' interface, meaning it is the most trusted.    The 192.168.0.0/22 network is on the outside.    Inside can traverse the pix to the outside using NAT.   But the outside network(s) cannot speak to the 192.168.5.0/24 subnet without the use of static nats and ACLs allowing the traffic.    BTW, your code has no GLOBAL command for outbound NAT.  

Here are my questions for you:
Does 192.168.5.1 subnet need internet access?  
Do the 'staff computers'  need access to the 'lab computers'?  How about the 192.168.5.0 switch?
Should the 'lab computers' have access to the 'staff computers'?  
Are any of these switches Layer 3 managed?  

0
 
egaloisAuthor Commented:
Answers to questions:

Yes, 192.168.5.1/24 must have internet access - the point of this setup is to use the firewall to help control/filter traffic.

Staff do not need access to the lab computers or the switch, however the management of these devices has been from a server on the staff switch.  But I can change this.

None of our switches are layer 3 managed (someday I would love to do this....).

I hadn't considered what you say about "most trusted".   It might be that I've got the inside and outside interfaces assigned wrong.  Maybe I should have the students on the outside interface and that would solve all the problems?

0
 
MikeKaneCommented:
How many interfaces does your MAINPIX have?   Do you have 1 available for another connection?    If so, you can dump the STUDENTPIX altogether and just use the MAIN PIX with a 3 prong setup: inside, outside, studentzone.  

Inside is security level 100
outside is level 0
student is level 50

That way, both inside and student zones can use the MainPix's internet connection.   You can control what subnet can access what subnet as needed.    The inside Staff subnet could still have visibility into the student zone for management.   The student zone would be cutoff from the staff zone unless you specifically allow it.    You can also control outbound access... i.e. turn off SMTP port 25 for the students.

Like this:

ISP
|
PIX - Student switch - Student Lab
|
Switch
|
Staff PCs.  


0
 
egaloisAuthor Commented:
Yes, I see your point.  It would be perfect but I have left out one part to this puzzle.  The student lab is in another building connected with one wire.  Staff computer traffic from this extra building travels the "one wire" with student traffic to the main building.

There is no way I can channel the student lab traffic to one port on the MainPix (unless maybe I use vlans....)   I have no problem with using Vlans but I though this method I chose first would be easier.


0
 
egaloisAuthor Commented:
Corrected network diagram
0
 
egaloisAuthor Commented:
Mike Kane, how do I add the GLOBAL command for outbound NAT?
0
 
MikeKaneCommented:
Global is:

global (outside) 1 interface
or
global (outside) 1 <ip address to use for PAT>  

Usually, unless you have a good reason, using 'interface' is fine.  


Are your switches layer3 managed?    If yes, then this setup is no problem.    
Building A switch carve out 2 Vlans.   i.e. 10 for staff, 20 for students.  
MainPix inside goes into Vlan 10
MainPix students goes to 20

Now you trunk the port that connects the 2 buildings so that it carries both tagged vlans.

At the far end, you have the trunked port for that interconnect link.   You also define vlans 10 and 20 and connect systems as needed.  

No problem.  



0
 
egaloisAuthor Commented:
thanks
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 10
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now