PIX routing or access-list problem?

Discussion in 'Cisco' started by Christoph Gartmann, Feb 15, 2005.

  1. Hello,

    with my Pix I had the following setup:

    outside --- Pix --- inside

    Now I added a separate LAN for external PCs. I added this Lan to interface
    ethernet 2. Now things look like this:

    outside --- Pix --- inside
    |
    +----- guests

    Guests have adresses 192.168.20.x, inside computers 10.1.y.x .
    Guests are able to connect to outside using NAT & PAT. But I can't get
    the connection between guests and inside to work. The relevant config
    of the Pix:

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 guests security50

    access-list guest-in permit ip any any
    access-list guest-in permit icmp any any

    ip address outside 192.168.2.253 255.255.255.248
    ip address inside 10.1.1.1 255.255.0.0
    ip address guests 192.168.20.254 255.255.255.0

    global (outside) 1 195.37.209.97
    global (outside) 2 195.37.209.98
    nat (inside) 1 10.1.0.0 255.255.0.0 0 0
    nat (guests) 2 192.168.20.0 255.255.255.0 0 0

    static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

    access-group guest-in in interface guests

    route outside 0.0.0.0 0.0.0.0 192.168.2.254 1


    The Pix is able to ping to guests, inside is not able to reach guests. What I
    am missing?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Feb 15, 2005
    #1
    1. Advertising

  2. Christoph Gartmann

    mcaissie Guest

    *********
    You may try

    static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

    instead of

    static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

    *************
    The command "static (int1,int2 ) fake_ip real_ip"
    translates the real_ip of int1 for the fake_ip on int2

    but since 192.168.20.0 is not a real_ip of your interface inside
    "static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0"
    doesn't accomplish anything

    but
    static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
    will make your inside network accessible to your guests network.
    You can then filter your access from guests to inside with your
    access-list guest-in
    and your access from inside to guest with an access-list inside-in








    "Christoph Gartmann" <> wrote in message
    news:cutc99$5o$...
    > Hello,
    >
    > with my Pix I had the following setup:
    >
    > outside --- Pix --- inside
    >
    > Now I added a separate LAN for external PCs. I added this Lan to interface
    > ethernet 2. Now things look like this:
    >
    > outside --- Pix --- inside
    > |
    > +----- guests
    >
    > Guests have adresses 192.168.20.x, inside computers 10.1.y.x .
    > Guests are able to connect to outside using NAT & PAT. But I can't get
    > the connection between guests and inside to work. The relevant config
    > of the Pix:
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    >
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 guests security50
    >
    > access-list guest-in permit ip any any
    > access-list guest-in permit icmp any any
    >
    > ip address outside 192.168.2.253 255.255.255.248
    > ip address inside 10.1.1.1 255.255.0.0
    > ip address guests 192.168.20.254 255.255.255.0
    >
    > global (outside) 1 195.37.209.97
    > global (outside) 2 195.37.209.98
    > nat (inside) 1 10.1.0.0 255.255.0.0 0 0
    > nat (guests) 2 192.168.20.0 255.255.255.0 0 0
    >
    > static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0
    > 0
    >
    > access-group guest-in in interface guests
    >
    > route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
    >
    >
    > The Pix is able to ping to guests, inside is not able to reach guests.
    > What I
    > am missing?
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
     
    mcaissie, Feb 15, 2005
    #2
    1. Advertising

  3. In article <9trQd.431$%y.391@clgrps12>, "mcaissie" <> writes:
    >*********
    >You may try
    >
    >static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
    >
    >instead of
    >
    >static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
    >
    >*************
    >The command "static (int1,int2 ) fake_ip real_ip"
    >translates the real_ip of int1 for the fake_ip on int2
    >
    >but since 192.168.20.0 is not a real_ip of your interface inside
    >"static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0"
    >doesn't accomplish anything
    >
    >but
    >static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
    >will make your inside network accessible to your guests network.
    >You can then filter your access from guests to inside with your
    >access-list guest-in
    >and your access from inside to guest with an access-list inside-in


    Thank you very much, now things work as expected.

    But there is still one thing that puzzles me:
    I thought that packets from an interfave with hihger security will reach
    interfaces with lower security. So in my setup I modified my access-list
    guest-in like the following:
    access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
    Nothing more, just this single line. With respect to the interfaces guest and
    inside this works as expected, e.g. guests reach 10.1.1.7 but nothing else
    on inside. But in addition guests can't reach hosts behind outside anymore.
    I thought outside has a security level of 0, guests has 50, so this should
    work. In fact I have to do it like this:
    access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
    access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0 255.255.0.0
    access-list guest-in permit ip any any

    Did I misunderstand the meaning of security levels?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Feb 16, 2005
    #3
  4. Christoph Gartmann

    Adam KOSA Guest

    Hi

    Please correct me if i'm wrong, but i assume:

    On Tue, 15 Feb 2005, Christoph Gartmann wrote:

    > nameif ethernet1 inside security100
    > nameif ethernet2 guests security50
    >

    that since inside is the high interface, guests is the low,

    > ip address inside 10.1.1.1 255.255.0.0
    > ip address guests 192.168.20.254 255.255.255.0
    >

    and the high interface is in network 10.1.0.0/16

    > static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
    >


    instead of the above, you would need a
    static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

    to make the 'high' (inside) network accessible for the 'low' (guests)
    network.

    However i don't see why is this setting different from plugging the guests
    in the inside network (access lists permits anything). I assume you are
    using wide open ACL-s for testing purposes only, so the above should work.
    But i'd narrow down the secirity policy right after i got the network up.

    regards
    Adam

    A: No.
    Q: Should I include quotations after my reply?
     
    Adam KOSA, Feb 16, 2005
    #4
  5. In article <>, Adam KOSA <> writes:

    >that since inside is the high interface, guests is the low,


    Correct.

    >> static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
    >>

    >
    >instead of the above, you would need a
    >static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
    >
    >to make the 'high' (inside) network accessible for the 'low' (guests)
    >network.


    Yes, this helped.

    >However i don't see why is this setting different from plugging the guests
    >in the inside network (access lists permits anything). I assume you are
    >using wide open ACL-s for testing purposes only, so the above should work.
    >But i'd narrow down the secirity policy right after i got the network up.


    Currently there is only one computer in the guest network which is actually a
    VLAN. Your are right, this is for testing. Once things work as expected the
    access-list will be a lot more restrictive.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Feb 16, 2005
    #5
  6. Christoph Gartmann

    mcaissie Guest

    > access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
    >access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0

    255.255.0.0
    > access-list guest-in permit ip any any


    your access-group guest-in in interface guest will filter every packets
    entering your
    guest interface , whether the destination is outside or inside .
    Cisco says;

    "For access from a higher security to a lower security level, nat and global
    commands or static commands must be present. For access from a lower
    security level to a higher security level, static and access-list commands
    must be present. "

    So for low-to-high you need to explicitely configure a static for the
    destination, wich is not the case

    for high-to-low. And i suppose that the stateful inspection is more severe
    on packet coming from
    low-to-high than on high-to-low



    "Christoph Gartmann" <> wrote in message
    news:cuvdhr$gi8$...
    > In article <9trQd.431$%y.391@clgrps12>, "mcaissie"
    > <> writes:
    >>*********
    >>You may try
    >>
    >>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
    >>
    >>instead of
    >>
    >>static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
    >>
    >>*************
    >>The command "static (int1,int2 ) fake_ip real_ip"
    >>translates the real_ip of int1 for the fake_ip on int2
    >>
    >>but since 192.168.20.0 is not a real_ip of your interface inside
    >>"static (inside,guests) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0
    >>0"
    >>doesn't accomplish anything
    >>
    >>but
    >>static (inside,guests) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
    >>will make your inside network accessible to your guests network.
    >>You can then filter your access from guests to inside with your
    >>access-list guest-in
    >>and your access from inside to guest with an access-list inside-in

    >
    > Thank you very much, now things work as expected.
    >
    > But there is still one thing that puzzles me:
    > I thought that packets from an interfave with hihger security will reach
    > interfaces with lower security. So in my setup I modified my access-list
    > guest-in like the following:
    > access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
    > Nothing more, just this single line. With respect to the interfaces guest
    > and
    > inside this works as expected, e.g. guests reach 10.1.1.7 but nothing else
    > on inside. But in addition guests can't reach hosts behind outside
    > anymore.
    > I thought outside has a security level of 0, guests has 50, so this should
    > work. In fact I have to do it like this:
    > access-list guest-in permit ip 192.168.20.0 255.255.255.0 host 10.1.1.7
    > access-list guest-in deny ip 192.168.20.0 255.255.255.0 10.1.0.0
    > 255.255.0.0
    > access-list guest-in permit ip any any
    >
    > Did I misunderstand the meaning of security levels?
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
     
    mcaissie, Feb 16, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,038
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,919
    Hansang Bae
    Jun 9, 2004
  3. Michael Letchworth

    Access list on RSM interVlan routing?

    Michael Letchworth, Mar 7, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,840
    Hansang Bae
    Mar 10, 2005
  4. Replies:
    3
    Views:
    650
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,212
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page