PIX routing question

Discussion in 'Cisco' started by markw78, Jun 21, 2007.

  1. markw78

    markw78

    Joined:
    Jun 21, 2007
    Messages:
    3
    what I want to do is logically easy... getting it done is proving to be a bit harder.

    Bascially I jsut want to route a network across my PIX from outside interface to eth2 (nameif test, security-level 75) with no restrictions what so ever.

    Currently I have it working with an tcp but thats it...

    access-list outside extended permit tcp any interface lab
    access-list lab_access_in extended permit ip any any

    access-group out in interface outside
    access-group lab_access_in in interface lab

    route lab 216.24.24.160 255.255.255.224 216.24.24.138 1

    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0

    access-list 101 extended permit ip 10.10.0.0 255.255.0.0 192.168.100.0 255.255.255.0
    access-list 101 extended permit ip 10.0.0.0 255.0.0.0 interface lab

    Access-list 101 and nat0 associated with it are left over from an attempt at VPN access which was abandoned a long time ago, I just stuck the additional ACL in place since the nat0 was already there.

    My goal is basically to hand-off this block of IP's to the lab's PIX so they can self manage them.

    Questions are... Access-list 101 and access-list outside permit any interface lab, which is actually doing the job? or are they both needed?

    Is there any way to remove the acl all together?

    How can I say "all protocols" as it won't take 'any' as a valid protocol.

    Lastly I'm having a hard time getting the inside network to route there. Do I need to add that to acl 101?

    I feel so close yet so far, can't quite wrap my head around this one (first time doing this with a PIX) any help is appreciated.
     
    markw78, Jun 21, 2007
    #1
    1. Advertising

  2. markw78

    markw78

    Joined:
    Jun 21, 2007
    Messages:
    3
    Update

    So I pulled out the nat 0, I pulled out acl 101, I removed lab_access_in acl, removed access-group from lab interface.

    It seems to be working fine off just the route which I don't quite understand since I swear it wasn't before.

    I still can't get through from inside(100) even though lab is 75.
     
    markw78, Jun 21, 2007
    #2
    1. Advertising

  3. markw78

    markw78

    Joined:
    Jun 21, 2007
    Messages:
    3
    ok 1 more

    static (inside,lab) 10.10.150.0 netmask 255.255.255.0

    seemed to do the trick I can get from inside to lab now.

    Still no ICMP even though I have

    icmp permit any lab
    icmp permit any inside

    It also wouldn't work adding a global using the public IP... normally a telnet test to the port shuts down right away indicating there is a firewall, with the global in place it times out instead, I suspect for some reason the device on the lab network is having problems replying to the NAT'd global IP. Maybe a proxy arp problem on the interface, I don't know it's almost 2am lol... I think the static is what we want but I would like to know why the global doesn't work anyways, along with icmp...

    I assume I need static mappings and acl's to get from lab to inside as normal.

    1 last quick edit, with the global in place and no static, my pings and telnet tests get no log on the pix. With the static, telnet tests work, but icmp generates a log stating unable to portmap from the lab to the inside (the reply packet)... shouldn't think be open by way of SPI / xlate table?
     
    Last edited: Jun 21, 2007
    markw78, Jun 21, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Erik Voldengen

    PIX 506e routing question

    Erik Voldengen, Jan 15, 2004, in forum: Cisco
    Replies:
    1
    Views:
    479
    Walter Roberson
    Jan 15, 2004
  2. zher
    Replies:
    2
    Views:
    9,262
  3. joeblow
    Replies:
    3
    Views:
    1,275
    Philip D'Ath
    Mar 14, 2005
  4. Sied@r
    Replies:
    3
    Views:
    8,639
    Sied@r
    Oct 20, 2005
  5. ra170
    Replies:
    1
    Views:
    1,057
    ra170
    Nov 22, 2010
Loading...

Share This Page