Pix and router configuration

Hi All, Wonder if anyone can help me with the cisco pix configuration. Out network is setup as follow:

Outside | |66.161.8.0/27 | REMOTE PIX520---------DMZ 172.16.1.0/24 Colo | | | Inside | |192.168.3.0/24 | ROUTER A |

192.168.6.0/24 | T1 P2P connect the cage @ Colo to HQ Office | ROUTER B | | 192.168.2.0/24 | Corporate Network

Basically, we have a cage at a colo facility. A private T1 line connects the HQ office to the cage. Internet access going out from the cage. The Cisco PIX is set up at the cage with 3 interfaces enabled, outside, inside, dmz.

PIX config: Outside 66.161.8.1 Inside 192.168.3.1 DMZ 172.16.1.1

Static (inside, dmz) 192.168.3.0 192.168.3.0 255.255.255.0 (no translation between dmz & inside) Static (inside,dmz) 192.168.2.0 192.168.2.0 255.255.255.0 (no trans between dmz and corp)

Router A: Serial0 192.168.6.1 E0 192.168.3.2

Router B Serial0 192.168.6.2 E0 192.168.2.1

Routing table on PIX

0.0.0.0 0.0.0.0 66.161.8.2 (to the ISP to the internet) 192.168.2.0 255.255.255.0 192.168.3.2 (Router A Ethernet Interface)

Routing table on Router A

0.0.0.0 0.0.0.0 192.168.3.1 (Pix inside interface) 192.168.2.0 255.255.255.0 192.168.6.2 (Router B Serial Interface)

Routing table on Router B

0.0.0.0 0.0.0.0 192.168.6.1 (Router A serial interface)

All the routing and NAT and STATIC and GLOBAL are configured. Traffic from the inside can get out to the internet. Traffic from HQ office can get out to the internet.

The hosts from the HQ office can talk to the hosts on the DMZ segmemt, since there is a STATIC (inside,dmz) 192.168.2.0 192.168.2.0

255.255.255.0. For instance, DMZ_A (172.16.1.10) can ping HQ_A(192.168.2.10). And vice versa. There is also the access-list for dmz

Host from DMZ can talk to the host from inside of the pix as well.

***************************************************************************************************** The problem I have is the host from the inside, INSIDE_A(192.168.3.10) CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX for the inside interface.

If I added at static route on the hosts on the Inside segment, then they can communicate. For instance, on INSIDE_A host, if I added " Add route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can talk to host HQ_A.

In short, if the host on the 192.168.3.0/24 segment want to talk to the host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the default gateway for all the hosts on that segment, and go directly to the ROUTER A. Otherwise, if let the PIX decide, it will drop the packets since there is no NAT or STATIC for 192.168.2.0 addresses.

I have talked to someone, and he mentioned about IP redirect on the pix. Does anyone have any ID how to make this configuration work without adding a static route on every hosts on the inside segment? Please help!

I apologize for the long description of the problem. Please help. Thanks a million!

Danny

Reply to
danny.bui
Loading thread data ...

skrev i en meddelelse news: snipped-for-privacy@i39g2000cwa.googlegroups.com...

**************************************************************************** *************************

Great description you give ! Your problem is that your INSIDE hosts have the PIX inside interface as gateway. So when the inside hosts wants to talk to HQ, it ask's the PIX for directions. BUT the PIX is not a router, and the PIX will not give ICMP redirects ! If you debug ICMP on the PIX you will see this.

Resolution is to have your inside hosts use the router as default gateway. This way the router will sent ICMP redirects whenever the hosts needs to goto the Internet instead. Depending on your number of inside hosts and router hardware and if its Cisco, the IOS version this caould cause problems, that you need to fix first, but again it might also not be a problem.

If you run DHCP on you clients it is pretty simplt to change gateway option on the Scope. Also if your clients uses personal firewall software, this needs to allow the ICMP redirect, obvioulsy.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Thanks Martin, I know it works fine if I have the hosts using the router as the gateway. I will be able to get back to the corporate office with no problem. However, there are some issues with using the router as default gateway. For instance, when I connected to the vpn, I won't be able to connect to those hosts, since the router doesn't know where to go when VPN is connected to the PIX.

Another concern I have is, when a host from the outside or DMZ try to contact a host inside, traffic will be forward to the PIX. The PIX then will hand the request to the inside host with out going pass the router (since the inside interface is local to hosts). When the inside hosts send back to acknowlegement to the requested hosts on the DMZ or outside, the inside host will then go to the router instead of going back to the PIX, since the router is its default gateway. This might be a problem then, because the request and reply are not going through the same connection.

In short, using the router as the default gateway for the inside hosts will allow them to communicate with the hosts in the HQ with no problem. However, it might cause conflicts with hosts from other interfaces to communicate with those hosts on the INSIDE interface.

I hope this would make any sense.

Thanks for your insights! Danny

Reply to
danny.bui

skrev i en meddelelse news: snipped-for-privacy@u72g2000cwu.googlegroups.com...

not correct. As the router have a def. route to the PIX, the inside hosts will reach the VPN Clients. Else you might have nonat issue or likely if you can not. Routing for sure is not the problem.

Partly correct - When ever the inside hosts needs to goto outside hosts (i.e. also DMZ hosts)m it will contact thier def gw, which will sent ICMP redirect to the inside hosts. The client will "remember" this ICMP redirect for a period of time and the router will only sent it once for that period of time.

no - you get redirect from router.

Reply to
Martin Bilgrav

Thanks...it seems to work fine using the router as default gateway. For the VPN issue, I just added a static route on the router for the VPN IP addresses to point back to the PIX. This way, it knows how to get back the VPN clients.

Thanks so much for your help! Danny

Reply to
danny.bui

Hi Martin, I just started some more testing. and the configuration of using the Router for the default gateway causes issues that I was concerned earlier. I created a static nat for one of the hosts on the Inside interface, and try to access it using port 80 from the internet. It didn't work. As I suspected, the PIX created a connection and forwarded the the request to the NATted host. However, when the host reply back, it forwarded its reply to the router instead of the PIX. This caused the problem. The PIX was waiting for a response from the host, but never got a response from it. Instead it got response from the router instead. Therefore, the pix drop the connection.

As soon as I used the PIX as the default gateway, I was able to access the web page with no problem. I guess using the router as the default gateway is not the best solution. It allowed connection to the backdoor of the PIX, but created a problem for the connection from the outside.

Please advise. Thanks Danny

Reply to
danny.bui

sorry for my later answer - easter holidays here...

I would not recommend doing a static for a inside host at all. This would compromise your security integrity. It makes all the sense in the world that when you create a static to the inside, and the inside uses a different gw, that you experience what do describe.

unless the inside host in your setup are inside to the router aswell. In this case, then you have config mismatch somewhere

Good or not - it is the only solution to your problem, as the pix will never sent you any redirects. But what you can do is to daisy chain your router with your PIX, and hence have a "link-net" between the pix and the router, with no hosts on. Then use the backsde of the router as gw.

Not sure what you mean by this ?

Hope I did....

8)

Reply to
Martin Bilgrav

The "Daisy Chain" method is actually the most common scenario that I've seen (this not only solves your issue, but also increases security). The way I usually would accomplish this is to develop a /30 (point to point, only 2 hosts - the PIX and the Router). Make all your inside routes (i.e. 192.168.2.0/24) with the next hop of the Router end of the /30. Then the router will know how to handle everything from that point forward. That will take care of routing from the PIX to the inside. Then you make the router the DG for the inside hosts and now you've got connectivity in both directions following the same path, so the PIX will be happy with no issues regarding VPN.

If your router only has one Ethernet interface, then to accomplish this you may need to use ISL or 802.1q trunking to create two VLANs. One would be the /30 from the PIX, the other the local network. Using trunks can I highly discourage the use of secondary addresses.

Your environment is pretty standard so if you have any further issues, please feel free to ask any questions you may have and most of the people on this board should be able to answer them without any problems.

Ryan

Reply to
rdymek

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.