Solved

Pix 515 routing issue

Posted on 2011-09-02
18
439 Views
Last Modified: 2012-06-21
We have a lab that we want to isolate on the network using a PIX 515.   It's going to help us filter all the traffice to and from the lab.

Right now, we can't ping from inside this lab to the outside.  Any help would be greatly appreciated.

Also having trouble telneting from the outside interface.  I'm aware that SSH is preferred.  I just want to know that I can setup telnet effectively.  Seems I'm missing some part of my understanding.


pix> en
Password: *********
pix# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 Students security99
nameif ethernet2 intf2 security4
enable password  encrypted
passwd encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu Students 1500
mtu intf2 1500
ip address outside x.x.0.18 255.255.252.0
ip address Students x.x.5.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (Students) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Students
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd address x.x.5.2-x.x.5.150 Students
dhcpd dns x.x.0.48 255.255.252.0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sermetrohq
dhcpd enable Students
username xxxx password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxx
: end
pix#
pix# show route
        outside x.x.0.0 255.255.252.0 x.x.0.18 1 CONNECT static
        Students x.x.5.0 255.255.255.0 x.x.5.1 1 CONNECT static
pix#
0
Comment
Question by:egalois
  • 10
  • 5
  • 3
18 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36475442
You need a default route outside

route outside 0.0.0.0 0.0.0.0 <ip address of outside Gateway>


Also, make sure that from the PIX command line that you can ping to an ip address on the outside and a host on the inside.  

0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 36475469
Not 100% sure on the pix but on the ASA, you can only telnet from the inside interface. SSH must be used for the outside and DMZ.

MikeKane is correct, you are missing your routing commands.
0
 

Author Comment

by:egalois
ID: 36475685
added the route outside connection, Still not working...

pix# show route
        outside 0.0.0.0 0.0.0.0 x.x.0.18 1 OTHER static
        outside x.x.0.0 255.255.252.0 x.x.0.18 1 CONNECT static
        Students x.x.5.0 255.255.255.0 x.x.5.1 1 CONNECT static
pix#
0
 

Author Comment

by:egalois
ID: 36475702
ip address outside 192.168.0.18 255.255.252.0
ip address Students 192.168.5.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (Students) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.0.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 36475708
Does the 192.168.0.0 network know how to get to 192.168.5.1 ?
0
 

Author Comment

by:egalois
ID: 36475978
192.168.5.1 doesn't respond to pings.  Maybe I should add a static mapping?
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 36475988
get into the next hop after the asa and see if there is route under "show ip route" that points 192.168.5.1 traffic to your asa.
0
 

Author Comment

by:egalois
ID: 36490373
StudentPix inside interface: 192.168.5.1
StudentPix outside interface: 192.168.0.18

MainPix inside interface: 192.168.0.2
MainPix inside interface: 192.168.0.1

so command to enter on my mainpix (next hop) would be...  

MainPix (config) # route inside 192.168.5.1 255.255.255.0 192.168.0.18 255.255.252.0 1

is this correct?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36491422
I just tried catching up on this thread....  I'm not following the layout here.... especially how the 'Students' Zone fits into this.    I see a Students Zone on the ASA, but the IP is blocked off.   However, later I see a students inside/outside IP connecting to another PIX?  

Could I ask for a simple network diagram showing where each zone sits and the upstream/downstream IP subnets....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:egalois
ID: 36491723
network diagram network diagram
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36495850
Ok now I understand....       I think you have a fundamental design issue with this layout.    

Now, I am assuming that the "Staff computers" are more important than the "Student Lab" computers.  Is that correct?  
If the answer is 'yes' then I want to point out the following.   The Student Pix places the 192.168.5.0 network on the 'inside' interface, meaning it is the most trusted.    The 192.168.0.0/22 network is on the outside.    Inside can traverse the pix to the outside using NAT.   But the outside network(s) cannot speak to the 192.168.5.0/24 subnet without the use of static nats and ACLs allowing the traffic.    BTW, your code has no GLOBAL command for outbound NAT.  

Here are my questions for you:
Does 192.168.5.1 subnet need internet access?  
Do the 'staff computers'  need access to the 'lab computers'?  How about the 192.168.5.0 switch?
Should the 'lab computers' have access to the 'staff computers'?  
Are any of these switches Layer 3 managed?  

0
 

Author Comment

by:egalois
ID: 36497642
Answers to questions:

Yes, 192.168.5.1/24 must have internet access - the point of this setup is to use the firewall to help control/filter traffic.

Staff do not need access to the lab computers or the switch, however the management of these devices has been from a server on the staff switch.  But I can change this.

None of our switches are layer 3 managed (someday I would love to do this....).

I hadn't considered what you say about "most trusted".   It might be that I've got the inside and outside interfaces assigned wrong.  Maybe I should have the students on the outside interface and that would solve all the problems?

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 500 total points
ID: 36498195
How many interfaces does your MAINPIX have?   Do you have 1 available for another connection?    If so, you can dump the STUDENTPIX altogether and just use the MAIN PIX with a 3 prong setup: inside, outside, studentzone.  

Inside is security level 100
outside is level 0
student is level 50

That way, both inside and student zones can use the MainPix's internet connection.   You can control what subnet can access what subnet as needed.    The inside Staff subnet could still have visibility into the student zone for management.   The student zone would be cutoff from the staff zone unless you specifically allow it.    You can also control outbound access... i.e. turn off SMTP port 25 for the students.

Like this:

ISP
|
PIX - Student switch - Student Lab
|
Switch
|
Staff PCs.  


0
 

Author Comment

by:egalois
ID: 36498294
Yes, I see your point.  It would be perfect but I have left out one part to this puzzle.  The student lab is in another building connected with one wire.  Staff computer traffic from this extra building travels the "one wire" with student traffic to the main building.

There is no way I can channel the student lab traffic to one port on the MainPix (unless maybe I use vlans....)   I have no problem with using Vlans but I though this method I chose first would be easier.


0
 

Author Comment

by:egalois
ID: 36498679
Corrected network diagram
0
 

Author Comment

by:egalois
ID: 36502907
Mike Kane, how do I add the GLOBAL command for outbound NAT?
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36504770
Global is:

global (outside) 1 interface
or
global (outside) 1 <ip address to use for PAT>  

Usually, unless you have a good reason, using 'interface' is fine.  


Are your switches layer3 managed?    If yes, then this setup is no problem.    
Building A switch carve out 2 Vlans.   i.e. 10 for staff, 20 for students.  
MainPix inside goes into Vlan 10
MainPix students goes to 20

Now you trunk the port that connects the 2 buildings so that it carries both tagged vlans.

At the far end, you have the trunked port for that interconnect link.   You also define vlans 10 and 20 and connect systems as needed.  

No problem.  



0
 

Author Closing Comment

by:egalois
ID: 36505172
thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now