Routing Pix Behind Verizon Router, routing issues

Toggle sidebar Toggle sidebar
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510
Hello all,

I have a pix 501 behind a verizon router. The pix is configured to route traffic to the subnet above it.

here is my setup:

verizon router 192.x network -> pix 501 -> 10.x network

all client machines in the 192.x network can send traffic to and from the pix 10.x network

intranet web sites (windows home server) on the 192.x network can be displayed on clients in the 10.x network.

I am having an issue with client machines on the sub net 10.x being able to reach the internet. i am proposing its a routing issue with the verizon router and the pix firewall. I think it may have to do with the pix not forwarding network traffic back to the client on the 10.x network.

i ran a trace route from the 10.x network, the first hop out was the Verizon router (192.168.1.1) after that it drops.

any suggestions?

i'll post my pix configuration when i get home. thanks!

fyi, i have another sub net because i am setting up a test lab at home for myself. Some of the machines will need to be able to access the internet from that subnet.
 
Sort by date Sort by votes
L

lukeconft

Honorable
Sep 28, 2012
58
0
10,640
Have you configured a default gateway for the Pix and your internal devices? Your Pix needs to have a default gateway configured to be the same as the internal address of your verizon, i.e. 192.x
All of your clients need to be configured with a default gateway the same as the pix internal address, i.e. 10.x

Also, have you configured natting on the Pix?
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640
First I am assuming that you are not natting with the pix you are actually routing the traffic.
I also assume you have put a static route in the verizon box telling it that your 10 network is behind the pix ip on the 192 network.

What I have seen on some gateways..ie consumer routers.. is that they will support the static routes but they many times will not nat those networks. They seem to nat only the main lan network. I don't remember the exact model that was doing this.

If that is happening I suppose you could configure the pix to nat traffic destined for the internet to the pix ip on the 192 net but when it was talking inside the house not nat it.

If you have the option you may want to load third party firmware on your verizon box. Many of the third party firmwares like dd-wrt or open-wrt support more advanced routing and nat options. You could also I suspect bridge the verizon unit and move all the function back to the pix on 2 different vlans.
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510
i have not set up natting on the pix, how would that make a difference?

here is the pix configuration:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
static (inside,outside) 10.10.0.0 10.10.0.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7103bf1919958a276ed05812263097ef
: end

originally i had the outside set to a static address with the gateway going to the verizon router. i just turned on dhcp for the outside address to see if it would make a difference.

and you both are correct, i have a route in the verizon router pointing to the pix, however, i find it's not necessary, when i delete it nothing really changes.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640
I will try to describe what I think is the problem if this was a commercial cisco router rather than your verizon gateway.

In cisco to put NAT for your common internet you define the WAN interface to be you NAT outside and your lan to be your NAT Inside. You then tell it to use the interface address of the wan in overload mode...ie PAT. By default anything that comes in the lan interface and goes out the wan interface is natted. But lets say you get creative and put in access list that only matches the subnet of the lan interface. And as in your example you have a static route for another subnet to a different device in the lan. What happens is traffic from the lan subnet matches and is natted, traffic from the other subnet gets send to the internet without being natted...and of course is dropped.

What I have seen in some consumer routers is that they have what is equivalent to a access list restricting the traffic they nat to only be the LAN subnet and nothing else. Unlike a cisco router where you can change it these devices have it buried someplace that cannot be changed.

You SHOULD not have to nat on the PIX but it may solve your issue if you do. In this case you would setup access list that nats traffic destined to everything but your 192.x network. You COULD nat everything but then you get the port forwarding issue that the 192.x machine could not initiate sessions with the 10.x machines
 
Upvote 0 Downvote
L

lukeconft

Honorable
Sep 28, 2012
58
0
10,640
I don't have a huge amount of experince with PIX, but it looks like you have a couple of issues here.
1. Configure the outside to have a static IP address in the range of the verizon DHCP assignment
2. You do not appear to have any routes configured. I would simply configure a default route, something like

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

where x.x.x.x enter the inside IP address of your verizon router.

Lastly, as I'm sure you are aware, your entire firewall is currently open to all types of requests.
 
Upvote 0 Downvote
L

lukeconft

Honorable
Sep 28, 2012
58
0
10,640
Also, it appears that your Nat is configured incorrectly. You seem to be using a static nat, which as far as I am aware, is used for natting individual inside addresses to individual outside addresses. You need to configure a dynamic NAT or PAT.

global (outside) 1 y.y.y.y netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Where y.y.y.y enter the IP of your outside interface of the PIX.
I believe that should get the results you are looking for, although sounds like Bill might be the better person to confirm.
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510



hi luke,

yes i am aware that the firewall is open, but this is sitting behind my verizon firewall. its exposed to my home lan so no worries. its also apart of a home lab i am building so i could trash it whenever i need to.

other than that, my routes are fine, other wise i wouldnt be able to reach any of my vms behind the pix. fyi here are my pix routes:


pixfirewall(config)# sho route
outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static
inside 10.10.0.0 255.255.255.0 10.10.0.1 1 CONNECT static
outside 192.168.1.0 255.255.255.0 192.168.1.10 1 CONNECT static


thanks for the help
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510


Ok, i'm still noobish in this department, but i kinda get the idea of what youre trying to say. I'll set up a nat for the pix and give it a whurl.

just to clarify, i should set the nat for the outside as the ip for 192.x network? in other words, the nat for the outside should be the pix ip (192.168.1.10) and the nat inside should be the inside network ip 10.x?
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510


sorry didnt see this,

Yea i think we're onto something here, i think bill is correct in saying that traffic becomes dropped once it hits the internet without being natted.

thanks for the commands, going to try them now... i'll post if anything changes.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640


That is correct. BUT be sure to not nat traffic between the 192 and10 networks

 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510


ok, i will need to nat traffic from the ip that verizon assigned to my router?
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510
ok, here are some results:

i did what bill told me not to do (as it is with the human condition) and its still wrong. I'm posting some screen shots:

Capture.JPG


in case that link didnt work: https://www.dropbox.com/s/wos5ym8t56qi6ck/Capture.JPG

here are the changes made to the pix:


pixfirewall(config)# nat (inside) 1 10.10.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.1.10 netmask 255.255.255.0
ERROR: 192.168.1.10-192.168.1.10 overlaps with outside interface address
pixfirewall(config)# global (outside) 1
Not enough arguments
pixfirewall(config)# global (outside) 1 interface
outside interface address added to PAT pool
pixfirewall(config)# write mem

...like i said i am a little noobish when it come to this...
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,325
2,755
125,640
You are getting near by knowledge limits on pix. I am much more familiar with the ASR configs which work more like routers.

You need to configure a PAT IE nat it to the single interface address. When you get the IP via DHCP then you need to use the interface name rather than the IP.

Been so long I forget the syntax to do this. This is how you do it on a IOS based box

ip nat inside source list 10 interface ethernet0 overload

access-list 10 permit 10.10.0.0 0.0.255.255
access-list 10 deny 192.168.0.0 0.0.255.255<<<<<this is just used for example there is a implied deny at the end.

I am sure if you dig you can find a example of a cisco pix PAT configuration.
 
Upvote 0 Downvote
L

lukeconft

Honorable
Sep 28, 2012
58
0
10,640
Sounds like we're all hitting a bit of a learning curve here :) Been a while since I've used them and it all changes in ASA 8.3.
My understanding is that you define the addresses to nat with the 'nat (inside)' command and then define the addresses to nat to with the 'global (outside)' command. It appears from the output you have provided, that it won't let you nat to a physical IP address, so you could try natting to an unused IP address in the same range, say 192.168.1.250. I would then reserve that IP address on your verizon router. Your inside rule looks fine, so fingers crossed you'll be ready to go with that.
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510



i'll give this a shot, ignore what i wrote below...


... ok it accepted the ip 192.168.1.250, still the same problem... i wish there was a better way to follow packet information...
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510
hey bill, luke,

so i disconnected the pix and installed a linksys wr54gs in its place. everything works great, here is the interesting part of this, when i do an ipconfig /all on one of the client machines, it shows two gateways...

maybe this had something to do with the issue above?
 
Upvote 0 Downvote
L

lukeconft

Honorable
Sep 28, 2012
58
0
10,640
It could well be. I'm sure you know this, but the default gateway is where your PC sends all data it does not have a route for. Obviously, if you have 2 different ones then that is going to confuse things. How did they get 2 different Gateways? Have you identified what the IP addresses related to?
 
Upvote 0 Downvote
J

jtorres93

Honorable
Oct 15, 2012
13
0
10,510


well, this could have something to do with the dhcp server i setup behind the firewall. when configuring the ip pool, i did put in two gateways: 10.10.0.1 and 192.168.1.1.

i also checked out the routing table on the linksys, it is almost identical to what i had setup on the pix, the only difference, there is an entry that states a destination to the 192.168.1.0 using as a gateway the ip addressed assigned to the wan port (the ip of the linksys). the other two routes state:

0.0.0.0 with a gateway to 192.168.1.1

10.10.0.0 with a gateway of 10.10.0.1 (router inside address)

i have also tried to place that third entry in the pix, but i kept getting a "route already exists". at this point im more intrigued in solving this then actually using it lol.

not sure if i wrote this clearly enough, i'm still finishing my first cup of coffee :)
 
Upvote 0 Downvote
B

bk6662

Honorable
Jul 11, 2012
15
0
10,510
Hi JTorres. Wondering if you ever found a definitive solution to this issue? I'm having the same problem Just posted my question (Subject line something like "PIX won't talk to router"). Interestingly when I ping from an inside host it passed through the firewall and hits the internet facing interface on the router. (I can see that by debugging ICMP traffic at the router). However the ping response never makes it back to the PIX Outside interface. I also turned on RIP at the PIX and the router to see if that would help. I can see that the PIX sends out RIP updates, but it never receives updates from the router. Although the router both sends and received RIP routing updates. So I'm sure it's something missing on the PIX.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom