Routing / Access List PIX issue

Discussion in 'Cisco' started by paul_tomlin@hotmail.com, Nov 7, 2007.

  1. Guest

    got a nice complicated routing / access list problem , or at least i
    think it is!

    we've got an MPLS circuit which is routed from our main internal
    network through gateway 10.100.18.254, all MPLS sites can see each
    other, the problem comes when i try to access them remotely using the
    vpn, anything on the 10-100.18.0 network with the PIX as the default
    gateway i can access remotely, anything with 10.100.18.254 and the
    remote sites, cannot be pinged remotely, i'm not sure if this is a
    routing issue, i've added in route statements for the remote networks,
    but can't obviously add one for the local network, maybe someone could
    advise?


    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 10.100.18.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.20.0
    255.255.255.0
    access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.34.0
    255.255.255.0
    access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.50.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.131 255.255.255.240
    ip address inside 10.100.18.252 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 192.168.100.1-192.168.100.25
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    pdm location 192.168.100.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
    route inside 10.100.20.0 255.255.255.0 10.100.18.254 1
    route inside 10.100.34.0 255.255.255.0 10.100.18.254 1
    route inside 10.100.50.0 255.255.255.0 10.100.18.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.100.18.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    isakmp nat-traversal 20
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local vpn
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username administrator password ********
    terminal width 80
    , Nov 7, 2007
    #1
    1. Advertising

  2. Merv Guest

    The PIX knows how to reach anything on 10.100.18.0/24 because it is a
    directly connected network (i.e it is configured on the PIX's inside
    interface)



    The following route statements indicate that only 3 network 10 subnets
    will be routed to 10.100.18.254 and anything else will be routed using
    the default route (i.e it will be forward to the "Internet" where it
    will be dropped

    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
    route inside 10.100.20.0 255.255.255.0 10.100.18.254 1
    route inside 10.100.34.0 255.255.255.0 10.100.18.254 1
    route inside 10.100.50.0 255.255.255.0 10.100.18.254 1


    Perhaps a route for all of network 10 will suffice:

    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
    route inside 10.0.0.0 255.0.0.0 10.100.18.254 1
    Merv, Nov 7, 2007
    #2
    1. Advertising

  3. mcaissie Guest

    You need to no nat all traffic between the remote users and the mpls
    subnets.
    So you would have to add the following lines in your acl 100

    access-list 100 permit ip 10.100.20.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 100 permit ip 10.100.34.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 100 permit ip 10.100.50.0 255.255.255.0 192.168.100.0
    255.255.255.0

    Also the mpls sites must have a route for 192.168.100.0 pointing at your
    inside PIX.


    <> wrote in message
    news:...
    > got a nice complicated routing / access list problem , or at least i
    > think it is!
    >
    > we've got an MPLS circuit which is routed from our main internal
    > network through gateway 10.100.18.254, all MPLS sites can see each
    > other, the problem comes when i try to access them remotely using the
    > vpn, anything on the 10-100.18.0 network with the PIX as the default
    > gateway i can access remotely, anything with 10.100.18.254 and the
    > remote sites, cannot be pinged remotely, i'm not sure if this is a
    > routing issue, i've added in route statements for the remote networks,
    > but can't obviously add one for the local network, maybe someone could
    > advise?
    >
    >
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname pixfirewall
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list 100 permit ip 10.100.18.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.20.0
    > 255.255.255.0
    > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.34.0
    > 255.255.255.0
    > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.50.0
    > 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xxx.xxx.xxx.131 255.255.255.240
    > ip address inside 10.100.18.252 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpn 192.168.100.1-192.168.100.25
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > pdm location 192.168.100.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 100
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
    > route inside 10.100.20.0 255.255.255.0 10.100.18.254 1
    > route inside 10.100.34.0 255.255.255.0 10.100.18.254 1
    > route inside 10.100.50.0 255.255.255.0 10.100.18.254 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.100.18.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > isakmp nat-traversal 20
    > telnet 0.0.0.0 0.0.0.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 5
    > console timeout 0
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local vpn
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username administrator password ********
    > terminal width 80
    >
    mcaissie, Nov 7, 2007
    #3
  4. Guest

    Thank you both the No-Nat was the fix

    thanks again for all your support

    Paul

    On 7 Nov, 16:58, "mcaissie" <> wrote:
    > You need to no nat all traffic between the remote users and the mpls
    > subnets.
    > So you would have to add the following lines in your acl 100
    >
    > access-list 100 permit ip 10.100.20.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    > access-list 100 permit ip 10.100.34.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    > access-list 100 permit ip 10.100.50.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    >
    > Also the mpls sites must have a route for 192.168.100.0 pointing at your
    > inside PIX.
    >
    > <> wrote in message
    >
    > news:...
    >
    >
    >
    > > got a nice complicated routing / access list problem , or at least i
    > > think it is!

    >
    > > we've got an MPLS circuit which is routed from our main internal
    > > network through gateway 10.100.18.254, all MPLS sites can see each
    > > other, the problem comes when i try to access them remotely using the
    > > vpn, anything on the 10-100.18.0 network with the PIX as the default
    > > gateway i can access remotely, anything with 10.100.18.254 and the
    > > remote sites, cannot be pinged remotely, i'm not sure if this is a
    > > routing issue, i've added in route statements for the remote networks,
    > > but can't obviously add one for the local network, maybe someone could
    > > advise?

    >
    > > PIX Version 6.3(5)
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > hostname pixfirewall
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > no fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > access-list 100 permit ip 10.100.18.0 255.255.255.0 192.168.100.0
    > > 255.255.255.0
    > > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.20.0
    > > 255.255.255.0
    > > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.34.0
    > > 255.255.255.0
    > > access-list 100 permit ip 10.100.18.0 255.255.255.0 10.100.50.0
    > > 255.255.255.0
    > > pager lines 24
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside xxx.xxx.xxx.131 255.255.255.240
    > > ip address inside 10.100.18.252 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool vpn 192.168.100.1-192.168.100.25
    > > no failover
    > > failover timeout 0:00:00
    > > failover poll 15
    > > no failover ip address outside
    > > no failover ip address inside
    > > pdm location 192.168.100.0 255.255.255.0 outside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 100
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
    > > route inside 10.100.20.0 255.255.255.0 10.100.18.254 1
    > > route inside 10.100.34.0 255.255.255.0 10.100.18.254 1
    > > route inside 10.100.50.0 255.255.255.0 10.100.18.254 1
    > > timeout xlate 3:00:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server TACACS+ max-failed-attempts 3
    > > aaa-server TACACS+ deadtime 10
    > > aaa-server RADIUS protocol radius
    > > aaa-server RADIUS max-failed-attempts 3
    > > aaa-server RADIUS deadtime 10
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 10.100.18.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > isakmp nat-traversal 20
    > > telnet 0.0.0.0 0.0.0.0 inside
    > > telnet timeout 5
    > > ssh 0.0.0.0 0.0.0.0 outside
    > > ssh timeout 5
    > > console timeout 0
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > vpdn group 1 ppp encryption mppe 40
    > > vpdn group 1 client configuration address local vpn
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username administrator password ********
    > > terminal width 80- Hide quoted text -

    >
    > - Show quoted text -
    , Nov 9, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,011
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,780
    Hansang Bae
    Jun 9, 2004
  3. Christoph Gartmann

    PIX routing or access-list problem?

    Christoph Gartmann, Feb 15, 2005, in forum: Cisco
    Replies:
    5
    Views:
    1,267
    mcaissie
    Feb 16, 2005
  4. Southern Kiwi
    Replies:
    6
    Views:
    2,152
    Southern Kiwi
    Mar 19, 2006
  5. ally0000

    Pix 515E Access List issue

    ally0000, Jan 12, 2008, in forum: Hardware
    Replies:
    3
    Views:
    1,391
    ally0000
    Feb 15, 2008
Loading...

Share This Page