Multiple subnets on PIX 515 - Please help

Discussion in 'Cisco' started by Val V., Feb 28, 2004.

  1. Val V.

    Val V. Guest

    Dear IT/Network Comrades,

    Please try to help me with this....

    I recently tried to replace my Linux based fw with cisco pix 515...and
    it didnt work.

    When I replaced the firewalls I was able to ping my router from the
    PIX console but not from any computer dmz or inside (nor was I able to
    do any other connectivity besides ping either). debug ICMP trace was
    showing ECHO going out but not in. I suspect my problem is due to
    multiple subnet and me not knowing how to do it. Does my route table
    make sence??? Here is my config if any kind soul will point me to the
    right direction I will be very apreciative.


    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security40
    hostname pix515
    names
    name 20.21.22.254 ns03
    name 30.31.32.130 ns01
    object-group service domain tcp-udp
    port-object eq domain
    object-group service www tcp
    port-object eq www
    port-object eq https
    object-group network dns
    network-object host ns03
    object-group network remote-admin
    object-group network equinix
    network-object 30.31.32.128 255.255.255.192
    object-group network web-serv
    network-object host 20.21.22.203
    network-object host 20.21.22.209
    network-object host 20.21.22.210
    network-object host 20.21.22.211
    network-object host 10.11.12.195
    network-object host 10.11.12.199
    network-object host 10.11.12.201
    network-object host 10.11.12.203
    network-object host 10.11.12.204
    network-object host 10.11.12.205
    network-object host 10.11.12.206
    network-object host 10.11.12.211
    network-object host 10.11.12.213
    network-object host 10.11.12.214
    network-object host 10.11.12.215
    network-object host 10.11.12.216
    network-object host 10.11.12.217
    network-object host 10.11.12.51
    network-object host 10.11.12.53
    network-object host 10.11.12.54
    network-object host 10.11.12.56
    network-object host 10.11.12.58
    network-object host 10.11.12.207
    object-group network smtp-serv
    network-object host 20.21.22.203
    network-object host 20.21.22.209
    network-object host 20.21.22.210
    network-object host 10.11.12.195
    network-object host 10.11.12.199
    network-object host 10.11.12.201
    network-object host 10.11.12.204
    network-object host 10.11.12.205
    network-object host 10.11.12.206
    network-object host 10.11.12.211
    network-object host 10.11.12.213
    network-object host 10.11.12.215
    network-object host 10.11.12.216
    network-object host 10.11.12.217
    network-object host 10.11.12.53
    network-object host 10.11.12.54
    network-object host 10.11.12.56
    network-object host 10.11.12.58
    network-object host 20.21.22.152
    network-object host 10.11.12.207
    object-group network https-serv
    network-object host 20.21.22.209
    network-object host 20.21.22.210
    network-object host 10.11.12.195
    network-object host 10.11.12.205
    network-object host 10.11.12.206
    network-object host 10.11.12.213
    network-object host 10.11.12.215
    network-object host 10.11.12.216
    network-object host 10.11.12.217
    network-object host 10.11.12.53
    network-object host 10.11.12.56
    network-object host 10.11.12.58
    network-object host 20.21.22.152
    network-object host 10.11.12.214
    network-object host 10.11.12.51
    network-object host 10.11.12.207
    object-group network domino-serv
    network-object host 20.21.22.209
    network-object host 10.11.12.205
    network-object host 10.11.12.206
    network-object host 10.11.12.216
    network-object host 10.11.12.199
    network-object host 10.11.12.201
    network-object host 10.11.12.204
    network-object host 10.11.12.207
    access-list inside_in permit icmp 192.168.2.0 255.255.255.0 any
    access-list inside_in permit udp 192.168.2.0 255.255.255.0 any eq
    domain
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq www
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq
    https
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq ftp
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq
    ftp-data
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq smtp
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq
    imap4
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq pop3
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq 3389
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any range
    1417 1420
    access-list inside_in permit udp 192.168.2.0 255.255.255.0 any eq 407
    access-list inside_in permit tcp 192.168.2.0 255.255.255.0 any eq
    lotusnotes
    access-list inside_in deny ip any any
    access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
    access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
    access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
    access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
    access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
    access-list outside_in deny ip 224.0.0.0 224.0.0.0 any
    access-list outside_in deny tcp any any eq ident
    access-list outside_in deny tcp any any eq 135
    access-list outside_in deny udp any any eq 1900
    access-list outside_in deny udp any any eq 445
    access-list outside_in deny udp any any range netbios-ns 139
    access-list outside_in permit icmp any any
    access-list outside_in permit tcp host ns01 host ns03 eq domain
    access-list outside_in permit udp any host ns03 eq domain
    access-list outside_in permit tcp object-group remote-admin any eq
    10000
    access-list outside_in permit tcp object-group remote-admin any eq
    lotusnotes
    access-list outside_in permit tcp object-group remote-admin any eq
    3389
    access-list outside_in permit tcp any object-group web-serv eq www
    access-list outside_in permit tcp any object-group smtp-serv eq smtp
    access-list outside_in permit tcp any object-group https-serv eq https
    access-list outside_in permit tcp any object-group domino-serv eq
    lotusnotes
    access-list outside_in permit tcp any host 20.21.22.152 eq ssh
    access-list outside_in permit tcp any host 20.21.22.209 eq ssh
    access-list outside_in permit tcp any host 10.11.12.54 eq ssh
    access-list outside_in permit tcp any host 20.21.22.203 eq ftp
    access-list outside_in permit tcp any host 20.21.22.209 eq ftp
    access-list outside_in permit tcp any host 10.11.12.56 eq ftp
    access-list outside_in permit tcp any host 20.21.22.152 eq imap4
    access-list outside_in permit tcp any host 20.21.22.209 eq imap4
    access-list outside_in permit tcp any host 20.21.22.209 eq pop3
    access-list outside_in permit tcp any host 10.11.12.54 eq imap4
    access-list outside_in permit tcp any host 20.21.22.210 eq pop3
    access-list outside_in permit tcp any host 20.21.22.151 range 1417
    1420
    access-list outside_in permit udp any host 20.21.22.151 eq 407
    access-list outside_in permit udp any host 20.21.22.153 eq 407
    access-list outside_in permit tcp any host 20.21.22.153 range 1417
    1420
    access-list outside_in deny ip any any
    access-list dmz_in permit icmp any any
    access-list dmz_in permit udp any any eq domain
    access-list dmz_in permit tcp any any eq www
    access-list dmz_in permit tcp any any eq https
    access-list dmz_in permit tcp any any eq ftp
    access-list dmz_in permit tcp any any eq ftp-data
    access-list dmz_in permit tcp any any eq smtp
    access-list dmz_in deny ip any any
    access-list nonatinside permit ip 192.168.2.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list nonatinside permit ip any 192.168.2.0 255.255.255.0
    ip address outside 10.11.12.3 255.255.255.128
    ip address inside 192.168.2.1 255.255.255.0
    ip address dmz 192.168.1.1 255.255.255.0
    global (outside) 1 10.11.12.4
    global (dmz) 1 192.168.2.60-192.168.2.70
    nat (inside) 0 access-list nonatinside
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    static (dmz,outside) 10.11.12.201 192.168.1.19 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.199 192.168.1.24 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.203 192.168.1.40 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.214 192.168.1.57 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.213 192.168.1.50 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.211 192.168.1.36 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.204 192.168.1.25 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.215 192.168.1.56 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.205 192.168.1.51 netmask 255.255.255.255
    0 0
    static (dmz,outside) 20.21.22.203 192.168.1.12 netmask 255.255.255.255
    0 0
    static (dmz,outside) 20.21.22.210 192.168.1.30 netmask 255.255.255.255
    0 0
    static (dmz,outside) 20.21.22.211 192.168.1.158 netmask
    255.255.255.255 0 0
    static (dmz,outside) 20.21.22.151 192.168.1.101 netmask
    255.255.255.255 0 0
    static (dmz,outside) 20.21.22.152 192.168.1.251 netmask
    255.255.255.255 0 0
    static (dmz,outside) 10.11.12.51 192.168.1.155 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.52 192.168.1.38 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.53 192.168.1.18 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.54 192.168.1.29 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.56 192.168.1.148 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.227 192.168.2.10 netmask 255.255.255.255
    0 0
    static (dmz,outside) 10.11.12.228 192.168.1.250 netmask
    255.255.255.255 0 0
    static (dmz,outside) 10.11.12.195 192.168.1.130 netmask
    255.255.255.255 0 0
    static (dmz,outside) 20.21.22.209 192.168.1.151 netmask
    255.255.255.255 0 0
    static (dmz,outside) 20.21.22.153 192.168.1.149 netmask
    255.255.255.255 0 0
    static (dmz,outside) 10.11.12.207 192.168.1.47 netmask 255.255.255.255
    0 0
    access-group outside_in in interface outside
    access-group inside_in in interface inside
    access-group dmz_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 20.21.22.129 1
    route outside 20.21.22.128 255.255.255.128 20.21.22.129 1
    route outside 10.11.12.128 255.255.255.192 10.11.12.129 1
    route outside 10.11.12.192 255.255.255.224 10.11.12.193 1
    route outside 10.11.12.224 255.255.255.224 10.11.12.225 1
     
    Val V., Feb 28, 2004
    #1
    1. Advertisements

  2. :I recently tried to replace my Linux based fw with cisco pix 515...and
    :it didnt work.

    :When I replaced the firewalls I was able to ping my router from the
    :pIX console but not from any computer dmz or inside (nor was I able to
    :do any other connectivity besides ping either). debug ICMP trace was
    :showing ECHO going out but not in. I suspect my problem is due to
    :multiple subnet and me not knowing how to do it.

    :pIX Version 6.3(1)

    :ip address outside 10.11.12.3 255.255.255.128
    :ip address inside 192.168.2.1 255.255.255.0
    :ip address dmz 192.168.1.1 255.255.255.0

    :global (outside) 1 10.11.12.4
    :global (dmz) 1 192.168.2.60-192.168.2.70

    :nat (inside) 0 access-list nonatinside
    :nat (inside) 1 192.168.1.0 255.255.255.0 0 0

    Your nat (inside) 1 only matches packets coming from the inside
    interface that have a source address of 192.168.1/24, but your
    'ip address inside' statement shows that your inside packets have
    192.168.2/24 addresses. Your nat (inside) 1 statement is thus not going
    to match any packets, and in turn that means your global (dmz) 1 statement
    is not going to have anything to work with. You will thus have no way
    of talking between inside and dmz (except via the nonatinside nat 0).

    :nat (dmz) 1 192.168.2.0 255.255.255.0 0 0

    Similarily, your source packets from dmz are 192.168.1/24 according
    to your ip address dmz statement. This statement is thus not going to match
    any packets. That you can get any traffic to work at all is due to the
    next statement,

    :nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

    which matches -all- traffic from the dmz.


    :static (dmz,outside) 10.11.12.201 192.168.1.19 netmask 255.255.255.255 0 0

    This series looks okay.

    :static (dmz,outside) 10.11.12.56 192.168.1.148 netmask 255.255.255.255 0 0

    Up to there looks okay.

    :static (dmz,outside) 10.11.12.227 192.168.2.10 netmask 255.255.255.255 0 0

    But there you are trying to nat into the dmz an IP address which
    belongs to the inside interface. It's not that that's impossible
    to do, but you need a additional routers and 'route' statements to
    make it work.


    :route outside 0.0.0.0 0.0.0.0 20.21.22.129 1
    :route outside 20.21.22.128 255.255.255.128 20.21.22.129 1
    :route outside 10.11.12.128 255.255.255.192 10.11.12.129 1
    :route outside 10.11.12.192 255.255.255.224 10.11.12.193 1
    :route outside 10.11.12.224 255.255.255.224 10.11.12.225 1

    Since those are all on the outside interface, you must have a
    router on the outside. My suspicion is that the router could
    make those choices for you. Unless, that is, what you have on
    the outside is more like a switch together with a series of routing
    devices each of which only knows about a small subnet, instead of
    having a router fronting all the other routers.
     
    Walter Roberson, Feb 28, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.