Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX routing or access-list problem?

Reply
Thread Tools

PIX routing or access-list problem?

 
 
Christoph Gartmann
Guest
Posts: n/a
 
      02-15-2005
Hello,

with my Pix I had the following setup:

outside --- Pix --- inside

Now I added a separate LAN for external PCs. I added this Lan to interface
ethernet 2. Now things look like this:

outside --- Pix --- inside
|
+----- guests

Guests have adresses 192.168.20.x, inside computers 10.1.y.x .
Guests are able to connect to outside using NAT & PAT. But I can't get
the connection between guests and inside to work. The relevant config
of the Pix:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 guests security50

access-list guest-in permit ip any any
access-list guest-in permit icmp any any

ip address outside 192.168.2.253 255.255.255.248
ip address inside 10.1.1.1 255.255.0.0
ip address guests 192.168.20.254 255.255.255.0

global (outside) 1 195.37.209.97
global (outside) 2 195.37.209.98
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (guests) 2 192.168.20.0 255.255.255.0 0 0

static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

access-group guest-in in interface guests

route outside 0.0.0.0 0.0.0.0 192.168.2.254 1


The Pix is able to ping to guests, inside is not able to reach guests. What I
am missing?

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      02-15-2005
*********
You may try

static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

instead of

static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

*************
The command "static (int1,int2 ) fake_ip real_ip"
translates the real_ip of int1 for the fake_ip on int2

but since 192.168.20.0 is not a real_ip of your interface inside
"static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0"
doesn't accomplish anything

but
static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
will make your inside network accessible to your guests network.
You can then filter your access from guests to inside with your
access-list guest-in
and your access from inside to guest with an access-list inside-in








"Christoph Gartmann" <(E-Mail Removed)> wrote in message
news:cutc99$5o$(E-Mail Removed)...
> Hello,
>
> with my Pix I had the following setup:
>
> outside --- Pix --- inside
>
> Now I added a separate LAN for external PCs. I added this Lan to interface
> ethernet 2. Now things look like this:
>
> outside --- Pix --- inside
> |
> +----- guests
>
> Guests have adresses 192.168.20.x, inside computers 10.1.y.x .
> Guests are able to connect to outside using NAT & PAT. But I can't get
> the connection between guests and inside to work. The relevant config
> of the Pix:
>
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 guests security50
>
> access-list guest-in permit ip any any
> access-list guest-in permit icmp any any
>
> ip address outside 192.168.2.253 255.255.255.248
> ip address inside 10.1.1.1 255.255.0.0
> ip address guests 192.168.20.254 255.255.255.0
>
> global (outside) 1 195.37.209.97
> global (outside) 2 195.37.209.98
> nat (inside) 1 10.1.0.0 255.255.0.0 0 0
> nat (guests) 2 192.168.20.0 255.255.255.0 0 0
>
> static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0
> 0
>
> access-group guest-in in interface guests
>
> route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
>
>
> The Pix is able to ping to guests, inside is not able to reach guests.
> What I
> am missing?
>
> Regards,
> Christoph Gartmann
>
> --
> Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
> Immunbiologie
> Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
> D-79011 Freiburg, Germany
> http://www.immunbio.mpg.de/home/menue.html



 
Reply With Quote
 
 
 
 
Christoph Gartmann
Guest
Posts: n/a
 
      02-16-2005
In article <9trQd.431$%y.391@clgrps12>, "mcaissie" <(E-Mail Removed)> writes:
>*********
>You may try
>
>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
>
>instead of
>
>static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
>
>*************
>The command "static (int1,int2 ) fake_ip real_ip"
>translates the real_ip of int1 for the fake_ip on int2
>
>but since 192.168.20.0 is not a real_ip of your interface inside
>"static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0"
>doesn't accomplish anything
>
>but
>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
>will make your inside network accessible to your guests network.
>You can then filter your access from guests to inside with your
>access-list guest-in
>and your access from inside to guest with an access-list inside-in


Thank you very much, now things work as expected.

But there is still one thing that puzzles me:
I thought that packets from an interfave with hihger security will reach
interfaces with lower security. So in my setup I modified my access-list
guest-in like the following:
access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
Nothing more, just this single line. With respect to the interfaces guest and
inside this works as expected, e.g. guests reach 10.1.1.7 but nothing else
on inside. But in addition guests can't reach hosts behind outside anymore.
I thought outside has a security level of 0, guests has 50, so this should
work. In fact I have to do it like this:
access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list guest-in permit ip any any

Did I misunderstand the meaning of security levels?

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
Adam KOSA
Guest
Posts: n/a
 
      02-16-2005

Hi

Please correct me if i'm wrong, but i assume:

On Tue, 15 Feb 2005, Christoph Gartmann wrote:

> nameif ethernet1 inside security100
> nameif ethernet2 guests security50
>

that since inside is the high interface, guests is the low,

> ip address inside 10.1.1.1 255.255.0.0
> ip address guests 192.168.20.254 255.255.255.0
>

and the high interface is in network 10.1.0.0/16

> static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
>


instead of the above, you would need a
static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

to make the 'high' (inside) network accessible for the 'low' (guests)
network.

However i don't see why is this setting different from plugging the guests
in the inside network (access lists permits anything). I assume you are
using wide open ACL-s for testing purposes only, so the above should work.
But i'd narrow down the secirity policy right after i got the network up.

regards
Adam

A: No.
Q: Should I include quotations after my reply?


 
Reply With Quote
 
Christoph Gartmann
Guest
Posts: n/a
 
      02-16-2005
In article <(E-Mail Removed) >, Adam KOSA <(E-Mail Removed)> writes:

>that since inside is the high interface, guests is the low,


Correct.

>> static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
>>

>
>instead of the above, you would need a
>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
>
>to make the 'high' (inside) network accessible for the 'low' (guests)
>network.


Yes, this helped.

>However i don't see why is this setting different from plugging the guests
>in the inside network (access lists permits anything). I assume you are
>using wide open ACL-s for testing purposes only, so the above should work.
>But i'd narrow down the secirity policy right after i got the network up.


Currently there is only one computer in the guest network which is actually a
VLAN. Your are right, this is for testing. Once things work as expected the
access-list will be a lot more restrictive.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      02-16-2005
> access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
>access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0

255.255.0.0
> access-list guest-in permit ip any any


your access-group guest-in in interface guest will filter every packets
entering your
guest interface , whether the destination is outside or inside .
Cisco says;

"For access from a higher security to a lower security level, nat and global
commands or static commands must be present. For access from a lower
security level to a higher security level, static and access-list commands
must be present. "

So for low-to-high you need to explicitely configure a static for the
destination, wich is not the case

for high-to-low. And i suppose that the stateful inspection is more severe
on packet coming from
low-to-high than on high-to-low



"Christoph Gartmann" <(E-Mail Removed)> wrote in message
news:cuvdhr$gi8$(E-Mail Removed)...
> In article <9trQd.431$%y.391@clgrps12>, "mcaissie"
> <(E-Mail Removed)> writes:
>>*********
>>You may try
>>
>>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
>>
>>instead of
>>
>>static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
>>
>>*************
>>The command "static (int1,int2 ) fake_ip real_ip"
>>translates the real_ip of int1 for the fake_ip on int2
>>
>>but since 192.168.20.0 is not a real_ip of your interface inside
>>"static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0
>>0"
>>doesn't accomplish anything
>>
>>but
>>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
>>will make your inside network accessible to your guests network.
>>You can then filter your access from guests to inside with your
>>access-list guest-in
>>and your access from inside to guest with an access-list inside-in

>
> Thank you very much, now things work as expected.
>
> But there is still one thing that puzzles me:
> I thought that packets from an interfave with hihger security will reach
> interfaces with lower security. So in my setup I modified my access-list
> guest-in like the following:
> access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
> Nothing more, just this single line. With respect to the interfaces guest
> and
> inside this works as expected, e.g. guests reach 10.1.1.7 but nothing else
> on inside. But in addition guests can't reach hosts behind outside
> anymore.
> I thought outside has a security level of 0, guests has 50, so this should
> work. In fact I have to do it like this:
> access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
> access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0
> 255.255.0.0
> access-list guest-in permit ip any any
>
> Did I misunderstand the meaning of security levels?
>
> Regards,
> Christoph Gartmann
>
> --
> Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
> Immunbiologie
> Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
> D-79011 Freiburg, Germany
> http://www.immunbio.mpg.de/home/menue.html



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 - routing from pix subnet to another (dir-655) question ra170 Cisco 1 11-22-2010 04:46 AM
intervlan routing and policy routing C3750 or C 4948 Sied@r Cisco 3 10-20-2005 08:42 PM
integrating new 3550 with routing into existing routing structure? joeblow Cisco 3 03-14-2005 08:50 AM
exchange routes between global IP routing table and VRF routing table zher Cisco 2 11-04-2004 11:28 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments