Pix and router configuration

Discussion in 'Cisco' started by danny.bui@gmail.com, Apr 6, 2006.

  1. Guest

    Hi All,
    Wonder if anyone can help me with the cisco pix configuration. Out
    network is setup as follow:


    Outside
    |
    |66.161.8.0/27
    |
    REMOTE PIX520---------DMZ 172.16.1.0/24
    Colo |
    |
    |
    Inside
    |
    |192.168.3.0/24
    |
    ROUTER A
    |
    192.168.6.0/24 | T1 P2P connect the cage @ Colo to HQ Office
    |
    ROUTER B
    |
    | 192.168.2.0/24
    |
    Corporate Network

    Basically, we have a cage at a colo facility. A private T1 line
    connects the HQ office to the cage. Internet access going out from the
    cage. The Cisco PIX is set up at the cage with 3 interfaces enabled,
    outside, inside, dmz.

    PIX config:
    Outside 66.161.8.1
    Inside 192.168.3.1
    DMZ 172.16.1.1

    Static (inside, dmz) 192.168.3.0 192.168.3.0 255.255.255.0 (no
    translation between dmz & inside)
    Static (inside,dmz) 192.168.2.0 192.168.2.0 255.255.255.0 (no trans
    between dmz and corp)

    Router A:
    Serial0 192.168.6.1
    E0 192.168.3.2

    Router B
    Serial0 192.168.6.2
    E0 192.168.2.1

    Routing table on PIX
    0.0.0.0 0.0.0.0 66.161.8.2 (to the ISP to the internet)
    192.168.2.0 255.255.255.0 192.168.3.2 (Router A Ethernet Interface)


    Routing table on Router A
    0.0.0.0 0.0.0.0 192.168.3.1 (Pix inside interface)
    192.168.2.0 255.255.255.0 192.168.6.2 (Router B Serial Interface)

    Routing table on Router B
    0.0.0.0 0.0.0.0 192.168.6.1 (Router A serial interface)

    All the routing and NAT and STATIC and GLOBAL are configured. Traffic
    from the inside can get out to the internet. Traffic from HQ office
    can get out to the internet.

    The hosts from the HQ office can talk to the hosts on the DMZ segmemt,
    since there is a STATIC (inside,dmz) 192.168.2.0 192.168.2.0
    255.255.255.0. For instance, DMZ_A (172.16.1.10) can ping
    HQ_A(192.168.2.10). And vice versa. There is also the access-list for
    dmz

    Host from DMZ can talk to the host from inside of the pix as well.


    *****************************************************************************************************
    The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
    CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
    there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
    for the inside interface.

    If I added at static route on the hosts on the Inside segment, then
    they can communicate. For instance, on INSIDE_A host, if I added " Add
    route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
    talk to host HQ_A.

    In short, if the host on the 192.168.3.0/24 segment want to talk to the
    host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
    default gateway for all the hosts on that segment, and go directly to
    the ROUTER A. Otherwise, if let the PIX decide, it will drop the
    packets since there is no NAT or STATIC for 192.168.2.0 addresses.

    I have talked to someone, and he mentioned about IP redirect on the
    pix. Does anyone have any ID how to make this configuration work
    without adding a static route on every hosts on the inside segment?
    Please help!

    I apologize for the long description of the problem. Please help.
    Thanks a million!

    Danny
     
    , Apr 6, 2006
    #1
    1. Advertising

  2. <> skrev i en meddelelse
    news:...
    ****************************************************************************
    *************************
    > The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
    > CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
    > there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
    > for the inside interface.
    >
    > If I added at static route on the hosts on the Inside segment, then
    > they can communicate. For instance, on INSIDE_A host, if I added " Add
    > route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
    > talk to host HQ_A.
    >
    > In short, if the host on the 192.168.3.0/24 segment want to talk to the
    > host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
    > default gateway for all the hosts on that segment, and go directly to
    > the ROUTER A. Otherwise, if let the PIX decide, it will drop the
    > packets since there is no NAT or STATIC for 192.168.2.0 addresses.
    >
    > I have talked to someone, and he mentioned about IP redirect on the
    > pix. Does anyone have any ID how to make this configuration work
    > without adding a static route on every hosts on the inside segment?
    > Please help!


    Great description you give !
    Your problem is that your INSIDE hosts have the PIX inside interface as
    gateway.
    So when the inside hosts wants to talk to HQ, it ask's the PIX for
    directions.
    BUT the PIX is not a router, and the PIX will not give ICMP redirects !
    If you debug ICMP on the PIX you will see this.

    Resolution is to have your inside hosts use the router as default gateway.
    This way the router will sent ICMP redirects whenever the hosts needs to
    goto the Internet instead.
    Depending on your number of inside hosts and router hardware and if its
    Cisco, the IOS version this caould cause problems, that you need to fix
    first, but again it might also not be a problem.

    If you run DHCP on you clients it is pretty simplt to change gateway option
    on the Scope.
    Also if your clients uses personal firewall software, this needs to allow
    the ICMP redirect, obvioulsy.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Apr 6, 2006
    #2
    1. Advertising

  3. Guest

    Thanks Martin,
    I know it works fine if I have the hosts using the router as the
    gateway. I will be able to get back to the corporate office with no
    problem. However, there are some issues with using the router as
    default gateway. For instance, when I connected to the vpn, I won't be
    able to connect to those hosts, since the router doesn't know where to
    go when VPN is connected to the PIX.

    Another concern I have is, when a host from the outside or DMZ try to
    contact a host inside, traffic will be forward to the PIX. The PIX
    then will hand the request to the inside host with out going pass the
    router (since the inside interface is local to hosts). When the inside
    hosts send back to acknowlegement to the requested hosts on the DMZ or
    outside, the inside host will then go to the router instead of going
    back to the PIX, since the router is its default gateway. This might
    be a problem then, because the request and reply are not going through
    the same connection.

    In short, using the router as the default gateway for the inside hosts
    will allow them to communicate with the hosts in the HQ with no
    problem. However, it might cause conflicts with hosts from other
    interfaces to communicate with those hosts on the INSIDE interface.

    I hope this would make any sense.

    Thanks for your insights!
    Danny
     
    , Apr 6, 2006
    #3
  4. <> skrev i en meddelelse
    news:...
    > Thanks Martin,
    > I know it works fine if I have the hosts using the router as the
    > gateway. I will be able to get back to the corporate office with no
    > problem. However, there are some issues with using the router as
    > default gateway. For instance, when I connected to the vpn, I won't be
    > able to connect to those hosts, since the router doesn't know where to
    > go when VPN is connected to the PIX.
    >


    not correct. As the router have a def. route to the PIX, the inside hosts
    will reach the VPN Clients.
    Else you might have nonat issue or likely if you can not.
    Routing for sure is not the problem.

    > Another concern I have is, when a host from the outside or DMZ try to
    > contact a host inside, traffic will be forward to the PIX. The PIX
    > then will hand the request to the inside host with out going pass the
    > router (since the inside interface is local to hosts). When the inside
    > hosts send back to acknowlegement to the requested hosts on the DMZ or
    > outside, the inside host will then go to the router instead of going
    > back to the PIX, since the router is its default gateway.


    Partly correct - When ever the inside hosts needs to goto outside hosts
    (i.e. also DMZ hosts)m it will contact thier def gw, which will sent ICMP
    redirect to the inside hosts.
    The client will "remember" this ICMP redirect for a period of time and the
    router will only sent it once for that period of time.


    >This might
    > be a problem then, because the request and reply are not going through
    > the same connection.


    no - you get redirect from router.

    >
    > In short, using the router as the default gateway for the inside hosts
    > will allow them to communicate with the hosts in the HQ with no
    > problem. However, it might cause conflicts with hosts from other
    > interfaces to communicate with those hosts on the INSIDE interface.
    >
    > I hope this would make any sense.
    >
    > Thanks for your insights!
    > Danny
    >
     
    Martin Bilgrav, Apr 7, 2006
    #4
  5. Guest

    Thanks...it seems to work fine using the router as default gateway.
    For the VPN issue, I just added a static route on the router for the
    VPN IP addresses to point back to the PIX. This way, it knows how to
    get back the VPN clients.

    Thanks so much for your help!
    Danny
     
    , Apr 7, 2006
    #5
  6. Guest

    Hi Martin,
    I just started some more testing. and the configuration of using the
    Router for the default gateway causes issues that I was concerned
    earlier. I created a static nat for one of the hosts on the Inside
    interface, and try to access it using port 80 from the internet. It
    didn't work. As I suspected, the PIX created a connection and
    forwarded the the request to the NATted host. However, when the host
    reply back, it forwarded its reply to the router instead of the PIX.
    This caused the problem. The PIX was waiting for a response from the
    host, but never got a response from it. Instead it got response from
    the router instead. Therefore, the pix drop the connection.

    As soon as I used the PIX as the default gateway, I was able to access
    the web page with no problem. I guess using the router as the default
    gateway is not the best solution. It allowed connection to the
    backdoor of the PIX, but created a problem for the connection from the
    outside.

    Please advise. Thanks
    Danny
     
    , Apr 8, 2006
    #6
  7. <> wrote in message
    news:...
    > Hi Martin,
    > I just started some more testing. and the configuration of using the
    > Router for the default gateway causes issues that I was concerned
    > earlier. I created a static nat for one of the hosts on the Inside
    > interface, and try to access it using port 80 from the internet. It
    > didn't work. As I suspected, the PIX created a connection and
    > forwarded the the request to the NATted host. However, when the host
    > reply back, it forwarded its reply to the router instead of the PIX.
    > This caused the problem. The PIX was waiting for a response from the
    > host, but never got a response from it. Instead it got response from
    > the router instead. Therefore, the pix drop the connection.


    sorry for my later answer - easter holidays here...

    I would not recommend doing a static for a inside host at all.
    This would compromise your security integrity.
    It makes all the sense in the world that when you create a static to the
    inside, and the inside uses a different gw, that you experience what do
    describe.

    unless the inside host in your setup are inside to the router aswell.
    In this case, then you have config mismatch somewhere



    >
    > As soon as I used the PIX as the default gateway, I was able to access
    > the web page with no problem. I guess using the router as the default
    > gateway is not the best solution.


    Good or not - it is the only solution to your problem, as the pix will never
    sent you any redirects.
    But what you can do is to daisy chain your router with your PIX, and hence
    have a "link-net" between the pix and the router, with no hosts on. Then use
    the backsde of the router as gw.


    > It allowed connection to the
    > backdoor of the PIX, but created a problem for the connection from the
    > outside.


    Not sure what you mean by this ?

    >
    > Please advise. Thanks'


    Hope I did....

    8)

    > Danny
    >
     
    Martin Bilgrav, Apr 16, 2006
    #7
  8. Guest

    The "Daisy Chain" method is actually the most common scenario that I've
    seen (this not only solves your issue, but also increases security).
    The way I usually would accomplish this is to develop a /30 (point to
    point, only 2 hosts - the PIX and the Router). Make all your inside
    routes (i.e. 192.168.2.0/24) with the next hop of the Router end of the
    /30. Then the router will know how to handle everything from that
    point forward. That will take care of routing from the PIX to the
    inside. Then you make the router the DG for the inside hosts and now
    you've got connectivity in both directions following the same path, so
    the PIX will be happy with no issues regarding VPN.

    If your router only has one Ethernet interface, then to accomplish this
    you may need to use ISL or 802.1q trunking to create two VLANs. One
    would be the /30 from the PIX, the other the local network. Using
    trunks can I highly discourage the use of secondary addresses.

    Your environment is pretty standard so if you have any further issues,
    please feel free to ask any questions you may have and most of the
    people on this board should be able to answer them without any
    problems.

    Ryan
     
    , Apr 17, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,841
    Martin Bilgrav
    Feb 6, 2004
  2. jester
    Replies:
    1
    Views:
    1,787
    Vivek
    Dec 20, 2005
  3. Replies:
    1
    Views:
    2,434
  4. Replies:
    0
    Views:
    803
  5. John Strow
    Replies:
    2
    Views:
    660
    John Strow
    Mar 1, 2008
Loading...

Share This Page