«

Hi All,
Wonder if anyone can help me with the cisco pix configuration. Out
network is setup as follow:


Outside
|
|66.161.8.0/27
|
REMOTE PIX520---------DMZ 172.16.1.0/24
Colo |
|
|
Inside
|
|192.168.3.0/24
|
ROUTER A
|
192.168.6.0/24 | T1 P2P connect the cage @ Colo to HQ Office
|
ROUTER B
|
| 192.168.2.0/24
|
Corporate Network

Basically, we have a cage at a colo facility. A private T1 line
connects the HQ office to the cage. Internet access going out from the
cage. The Cisco PIX is set up at the cage with 3 interfaces enabled,
outside, inside, dmz.

PIX config:
Outside 66.161.8.1
Inside 192.168.3.1
DMZ 172.16.1.1

Static (inside, dmz) 192.168.3.0 192.168.3.0 255.255.255.0 (no
translation between dmz & inside)
Static (inside,dmz) 192.168.2.0 192.168.2.0 255.255.255.0 (no trans
between dmz and corp)

Router A:
Serial0 192.168.6.1
E0 192.168.3.2

Router B
Serial0 192.168.6.2
E0 192.168.2.1

Routing table on PIX
0.0.0.0 0.0.0.0 66.161.8.2 (to the ISP to the internet)
192.168.2.0 255.255.255.0 192.168.3.2 (Router A Ethernet Interface)


Routing table on Router A
0.0.0.0 0.0.0.0 192.168.3.1 (Pix inside interface)
192.168.2.0 255.255.255.0 192.168.6.2 (Router B Serial Interface)

Routing table on Router B
0.0.0.0 0.0.0.0 192.168.6.1 (Router A serial interface)

All the routing and NAT and STATIC and GLOBAL are configured. Traffic
from the inside can get out to the internet. Traffic from HQ office
can get out to the internet.

The hosts from the HQ office can talk to the hosts on the DMZ segmemt,
since there is a STATIC (inside,dmz) 192.168.2.0 192.168.2.0
255.255.255.0. For instance, DMZ_A (172.16.1.10) can ping
HQ_A(192.168.2.10). And vice versa. There is also the access-list for
dmz

Host from DMZ can talk to the host from inside of the pix as well.


************************************************** ************************************************** *
The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
for the inside interface.

If I added at static route on the hosts on the Inside segment, then
they can communicate. For instance, on INSIDE_A host, if I added " Add
route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
talk to host HQ_A.

In short, if the host on the 192.168.3.0/24 segment want to talk to the
host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
default gateway for all the hosts on that segment, and go directly to
the ROUTER A. Otherwise, if let the PIX decide, it will drop the
packets since there is no NAT or STATIC for 192.168.2.0 addresses.

I have talked to someone, and he mentioned about IP redirect on the
pix. Does anyone have any ID how to make this configuration work
without adding a static route on every hosts on the inside segment?
Please help!

I apologize for the long description of the problem. Please help.
Thanks a million!

Danny

<> skrev i en meddelelse
news: oups.com...
************************************************** **************************
*************************
> The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
> CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
> there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
> for the inside interface.
>
> If I added at static route on the hosts on the Inside segment, then
> they can communicate. For instance, on INSIDE_A host, if I added " Add
> route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
> talk to host HQ_A.
>
> In short, if the host on the 192.168.3.0/24 segment want to talk to the
> host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
> default gateway for all the hosts on that segment, and go directly to
> the ROUTER A. Otherwise, if let the PIX decide, it will drop the
> packets since there is no NAT or STATIC for 192.168.2.0 addresses.
>
> I have talked to someone, and he mentioned about IP redirect on the
> pix. Does anyone have any ID how to make this configuration work
> without adding a static route on every hosts on the inside segment?
> Please help!

Great description you give !
Your problem is that your INSIDE hosts have the PIX inside interface as
gateway.
So when the inside hosts wants to talk to HQ, it ask's the PIX for
directions.
BUT the PIX is not a router, and the PIX will not give ICMP redirects !
If you debug ICMP on the PIX you will see this.

Resolution is to have your inside hosts use the router as default gateway.
This way the router will sent ICMP redirects whenever the hosts needs to
goto the Internet instead.
Depending on your number of inside hosts and router hardware and if its
Cisco, the IOS version this caould cause problems, that you need to fix
first, but again it might also not be a problem.

If you run DHCP on you clients it is pretty simplt to change gateway option
on the Scope.
Also if your clients uses personal firewall software, this needs to allow
the ICMP redirect, obvioulsy.

HTH
Martin Bilgrav

Thanks Martin,
I know it works fine if I have the hosts using the router as the
gateway. I will be able to get back to the corporate office with no
problem. However, there are some issues with using the router as
default gateway. For instance, when I connected to the vpn, I won't be
able to connect to those hosts, since the router doesn't know where to
go when VPN is connected to the PIX.

Another concern I have is, when a host from the outside or DMZ try to
contact a host inside, traffic will be forward to the PIX. The PIX
then will hand the request to the inside host with out going pass the
router (since the inside interface is local to hosts). When the inside
hosts send back to acknowlegement to the requested hosts on the DMZ or
outside, the inside host will then go to the router instead of going
back to the PIX, since the router is its default gateway. This might
be a problem then, because the request and reply are not going through
the same connection.

In short, using the router as the default gateway for the inside hosts
will allow them to communicate with the hosts in the HQ with no
problem. However, it might cause conflicts with hosts from other
interfaces to communicate with those hosts on the INSIDE interface.

I hope this would make any sense.

Thanks for your insights!
Danny

<> skrev i en meddelelse
news: oups.com...
> Thanks Martin,
> I know it works fine if I have the hosts using the router as the
> gateway. I will be able to get back to the corporate office with no
> problem. However, there are some issues with using the router as
> default gateway. For instance, when I connected to the vpn, I won't be
> able to connect to those hosts, since the router doesn't know where to
> go when VPN is connected to the PIX.
>

not correct. As the router have a def. route to the PIX, the inside hosts
will reach the VPN Clients.
Else you might have nonat issue or likely if you can not.
Routing for sure is not the problem.

> Another concern I have is, when a host from the outside or DMZ try to
> contact a host inside, traffic will be forward to the PIX. The PIX
> then will hand the request to the inside host with out going pass the
> router (since the inside interface is local to hosts). When the inside
> hosts send back to acknowlegement to the requested hosts on the DMZ or
> outside, the inside host will then go to the router instead of going
> back to the PIX, since the router is its default gateway.

Partly correct - When ever the inside hosts needs to goto outside hosts
(i.e. also DMZ hosts)m it will contact thier def gw, which will sent ICMP
redirect to the inside hosts.
The client will "remember" this ICMP redirect for a period of time and the
router will only sent it once for that period of time.


>This might
> be a problem then, because the request and reply are not going through
> the same connection.

no - you get redirect from router.

>
> In short, using the router as the default gateway for the inside hosts
> will allow them to communicate with the hosts in the HQ with no
> problem. However, it might cause conflicts with hosts from other
> interfaces to communicate with those hosts on the INSIDE interface.
>
> I hope this would make any sense.
>
> Thanks for your insights!
> Danny
>

Thanks...it seems to work fine using the router as default gateway.
For the VPN issue, I just added a static route on the router for the
VPN IP addresses to point back to the PIX. This way, it knows how to
get back the VPN clients.

Thanks so much for your help!
Danny

Hi Martin,
I just started some more testing. and the configuration of using the
Router for the default gateway causes issues that I was concerned
earlier. I created a static nat for one of the hosts on the Inside
interface, and try to access it using port 80 from the internet. It
didn't work. As I suspected, the PIX created a connection and
forwarded the the request to the NATted host. However, when the host
reply back, it forwarded its reply to the router instead of the PIX.
This caused the problem. The PIX was waiting for a response from the
host, but never got a response from it. Instead it got response from
the router instead. Therefore, the pix drop the connection.

As soon as I used the PIX as the default gateway, I was able to access
the web page with no problem. I guess using the router as the default
gateway is not the best solution. It allowed connection to the
backdoor of the PIX, but created a problem for the connection from the
outside.

Please advise. Thanks
Danny

<> wrote in message
news: ups.com...
> Hi Martin,
> I just started some more testing. and the configuration of using the
> Router for the default gateway causes issues that I was concerned
> earlier. I created a static nat for one of the hosts on the Inside
> interface, and try to access it using port 80 from the internet. It
> didn't work. As I suspected, the PIX created a connection and
> forwarded the the request to the NATted host. However, when the host
> reply back, it forwarded its reply to the router instead of the PIX.
> This caused the problem. The PIX was waiting for a response from the
> host, but never got a response from it. Instead it got response from
> the router instead. Therefore, the pix drop the connection.

sorry for my later answer - easter holidays here...

I would not recommend doing a static for a inside host at all.
This would compromise your security integrity.
It makes all the sense in the world that when you create a static to the
inside, and the inside uses a different gw, that you experience what do
describe.

unless the inside host in your setup are inside to the router aswell.
In this case, then you have config mismatch somewhere



>
> As soon as I used the PIX as the default gateway, I was able to access
> the web page with no problem. I guess using the router as the default
> gateway is not the best solution.

Good or not - it is the only solution to your problem, as the pix will never
sent you any redirects.
But what you can do is to daisy chain your router with your PIX, and hence
have a "link-net" between the pix and the router, with no hosts on. Then use
the backsde of the router as gw.


> It allowed connection to the
> backdoor of the PIX, but created a problem for the connection from the
> outside.

Not sure what you mean by this ?

>
> Please advise. Thanks'

Hope I did....



> Danny
>

The "Daisy Chain" method is actually the most common scenario that I've
seen (this not only solves your issue, but also increases security).
The way I usually would accomplish this is to develop a /30 (point to
point, only 2 hosts - the PIX and the Router). Make all your inside
routes (i.e. 192.168.2.0/24) with the next hop of the Router end of the
/30. Then the router will know how to handle everything from that
point forward. That will take care of routing from the PIX to the
inside. Then you make the router the DG for the inside hosts and now
you've got connectivity in both directions following the same path, so
the PIX will be happy with no issues regarding VPN.

If your router only has one Ethernet interface, then to accomplish this
you may need to use ISL or 802.1q trunking to create two VLANs. One
would be the /30 from the PIX, the other the local network. Using
trunks can I highly discourage the use of secondary addresses.

Your environment is pretty standard so if you have any further issues,
please feel free to ask any questions you may have and most of the
people on this board should be able to answer them without any
problems.

Ryan