Pix Routing to remote subnet

bill.morton · ‎08-15-2007

Working with a Pix 535 ver 6.3(5)

The pix is the default gateway for the entire subnet 192.168.160.0 255.255.240.0.

I have since added a VMware environment that I have put into the 172.17.0.0 space for a number of reasons. The VMware subnet is accessible via 192.168.162.87 (I am doing the layer 3 switching & inter VLAN routing on a switch at this address).

I can get everything to work by adding a static route in the PCs I am working on, but I want to accomplish this in the pix.

[Pix: 192.168.160.1 (inside)]---->[Cisco 6500]--->[VMware Switch: 192.168.162.87]----->172.17.0.0/24 network.

Can I do something like this?

Ip address VMware 172.17.0.1 255.255.255.0

Static (inside, VMware) 192.168.160.1 172.17.0.1 255.255.255.255

Route VMware 172.17.0.0 255.255.255.0 192.168.162.87 1

edit: I should mention that the VMnetwork is not directly connected.

Jon Marshall · ‎08-15-2007

Hi Bill

Just to confirm, if a client on the 192.168.160.x subnet wanted to communicate with the 172.17.0.0 subnet does the traffic go from the client to the pix inside interface, back out the inside interface to the VMware switch and then to the subnet.

If so this will not work with pix ver 6.x as you cannot send traffic back out the same interface it came in on to it's destination.

You have 2 choices if you don't want to add static routes to PC's

1) Upgrade pix to v7.x where you can send traffic back out same interface. It's called hairpinning. Be aware that v7.x config is quite different from v6.x

2) Migrate the default gateway of your 192.168.160.x clients to the L3 switch.

I would go with 2.

HTH

Jon

bill.morton · ‎08-15-2007

Jon,

That is exactly what would happen, traffic would go in/out the same interface on the pix.

I'll give the default gateway a shot, though I do have a 515 running v7 around.

Thanks!

bill.morton · ‎08-15-2007

Ok, getting close but I am having a mental blcok here.

I can ping my 172.17 hosts from outside (192.168.*.*)

My 172.17 hosts can ping each other.

My 172.17 hosts can ping the L3 switch gateway 192.168.162.87

My L3 Switch can ping the rest of the network 192.168.*.*

My 172.17 hosts can not ping the rest of the 192.168.*.* network.

[172.17.0.*]--->[Cisco 3750 192.168.162.87]--->192.168.160.* /20

Cisco 3750 config: (the hosts I am trying to ping from are on Vlan 4 [management]

ok, too long for a full post, but:

bill.morton · ‎08-15-2007

VMCisco3750_0#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/21, Gi1/0/22, Gi1/0/23

Gi1/0/24

2 iSCSI active Gi1/0/1, Gi1/0/2, Gi1/0/3

Gi1/0/4, Gi1/0/5, Gi1/0/6

Gi1/0/7, Gi1/0/8, Gi1/0/9

Gi1/0/10, Gi1/0/11, Gi1/0/12

3 VMotion active Gi1/0/13, Gi1/0/14

4 Management active Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi1/0/19, Gi1/0/20

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

2 enet 100002 9000 - - - - - 0 0

3 enet 100003 1500 - - - - - 0 0

4 enet 100004 1500 - - - - - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

VMCisco3750_0#

bill.morton · ‎08-15-2007

VMCisco3750_0#sh ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1 192.168.162.87 YES NVRAM up up

Vlan2 unassigned YES manual up up

Vlan3 unassigned YES manual up up

Vlan4 172.17.0.97 YES NVRAM up up

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset down down

GigabitEthernet1/0/3 unassigned YES unset up up

GigabitEthernet1/0/4 unassigned YES unset down down

GigabitEthernet1/0/5 unassigned YES unset up up

GigabitEthernet1/0/6 unassigned YES unset down down

GigabitEthernet1/0/7 unassigned YES unset up up

GigabitEthernet1/0/8 unassigned YES unset up up

GigabitEthernet1/0/9 unassigned YES unset up up

GigabitEthernet1/0/10 unassigned YES unset up up

GigabitEthernet1/0/11 unassigned YES unset up up

GigabitEthernet1/0/12 unassigned YES unset down down

GigabitEthernet1/0/13 unassigned YES unset up up

GigabitEthernet1/0/14 unassigned YES unset up up

GigabitEthernet1/0/15 unassigned YES unset up up

GigabitEthernet1/0/16 unassigned YES unset up up

GigabitEthernet1/0/17 unassigned YES unset down down

GigabitEthernet1/0/18 unassigned YES unset up up

GigabitEthernet1/0/19 unassigned YES unset down down

GigabitEthernet1/0/20 unassigned YES unset down down

GigabitEthernet1/0/21 unassigned YES unset up up

GigabitEthernet1/0/22 unassigned YES unset up up

GigabitEthernet1/0/23 unassigned YES unset administratively down down

GigabitEthernet1/0/24 unassigned YES unset up up

VMCisco3750_0#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.160.1 to network 0.0.0.0

172.17.0.0/27 is subnetted, 1 subnets

C 172.17.0.96 is directly connected, Vlan4

S* 0.0.0.0/0 [1/0] via 192.168.160.1

C 192.168.160.0/20 is directly connected, Vlan1

VMCisco3750_0#

rigoberto.cintron · ‎08-15-2007

As Jon said your default gateway for subnet 192.168.160.0 should the L3 switch and then have a default route in the L3 switch pointing to the PIX. You are going to need a route in the PIX for the 172.17.0.0 subnet pointing to the L3 switch.

bill.morton · ‎08-15-2007

I think would run into the same problem that Jon mentioned earlier with packets entering and leaving the same interface which 6.3(5) wont allow.

Jon Marshall · ‎08-15-2007

Bill

You wouldn't as long as every network internally routed off your L3 switch. And then on your L3 switch you have a default route pointing to the pix.

The idea is that you only go to the pix inside interface when you want to go out through the pix not to get to another internal subnet. For routing internally use the L3 switch.

HTH

Jon

bill.morton · ‎08-15-2007

Alright, I see where you are going; I'll have to think this one out a bit.

I think the best option for my environment would be to directly connect the 172.17 network to the PIX, so I?ll see if I have any open interfaces to work with.

Thanks for all the help!

rigoberto.cintron · ‎08-15-2007

If you need to Firewall the 172.17 subnet independently from the 192.168.160 subnet then conecting it to another interface in the PIX it's the way to go. If you don't need to firewall that subnet independently then the best way to do it is route with the L3 switch. Remember that the PIX it's not a router and it's slower than a L3 switch. If you need high speed connection between those subnets the PIX will just make it slower.