08-15-2007 08:07 AM - edited 03-11-2019 03:58 AM
Working with a Pix 535 ver 6.3(5)
The pix is the default gateway for the entire subnet 192.168.160.0 255.255.240.0.
I have since added a VMware environment that I have put into the 172.17.0.0 space for a number of reasons. The VMware subnet is accessible via 192.168.162.87 (I am doing the layer 3 switching & inter VLAN routing on a switch at this address).
I can get everything to work by adding a static route in the PCs I am working on, but I want to accomplish this in the pix.
[Pix: 192.168.160.1 (inside)]---->[Cisco 6500]--->[VMware Switch: 192.168.162.87]----->172.17.0.0/24 network.
Can I do something like this?
Ip address VMware 172.17.0.1 255.255.255.0
Static (inside, VMware) 192.168.160.1 172.17.0.1 255.255.255.255
Route VMware 172.17.0.0 255.255.255.0 192.168.162.87 1
edit: I should mention that the VMnetwork is not directly connected.
08-15-2007 08:47 AM
Hi Bill
Just to confirm, if a client on the 192.168.160.x subnet wanted to communicate with the 172.17.0.0 subnet does the traffic go from the client to the pix inside interface, back out the inside interface to the VMware switch and then to the subnet.
If so this will not work with pix ver 6.x as you cannot send traffic back out the same interface it came in on to it's destination.
You have 2 choices if you don't want to add static routes to PC's
1) Upgrade pix to v7.x where you can send traffic back out same interface. It's called hairpinning. Be aware that v7.x config is quite different from v6.x
2) Migrate the default gateway of your 192.168.160.x clients to the L3 switch.
I would go with 2.
HTH
Jon
08-15-2007 09:07 AM
Jon,
That is exactly what would happen, traffic would go in/out the same interface on the pix.
I'll give the default gateway a shot, though I do have a 515 running v7 around.
Thanks!
08-15-2007 09:33 AM
Ok, getting close but I am having a mental blcok here.
I can ping my 172.17 hosts from outside (192.168.*.*)
My 172.17 hosts can ping each other.
My 172.17 hosts can ping the L3 switch gateway 192.168.162.87
My L3 Switch can ping the rest of the network 192.168.*.*
My 172.17 hosts can not ping the rest of the 192.168.*.* network.
[172.17.0.*]--->[Cisco 3750 192.168.162.87]--->192.168.160.* /20
Cisco 3750 config: (the hosts I am trying to ping from are on Vlan 4 [management]
ok, too long for a full post, but:
08-15-2007 09:33 AM
VMCisco3750_0#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/21, Gi1/0/22, Gi1/0/23
Gi1/0/24
2 iSCSI active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
3 VMotion active Gi1/0/13, Gi1/0/14
4 Management active Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 9000 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
VMCisco3750_0#
08-15-2007 09:33 AM
VMCisco3750_0#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.162.87 YES NVRAM up up
Vlan2 unassigned YES manual up up
Vlan3 unassigned YES manual up up
Vlan4 172.17.0.97 YES NVRAM up up
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset up up
GigabitEthernet1/0/8 unassigned YES unset up up
GigabitEthernet1/0/9 unassigned YES unset up up
GigabitEthernet1/0/10 unassigned YES unset up up
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset up up
GigabitEthernet1/0/14 unassigned YES unset up up
GigabitEthernet1/0/15 unassigned YES unset up up
GigabitEthernet1/0/16 unassigned YES unset up up
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset up up
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset up up
GigabitEthernet1/0/23 unassigned YES unset administratively down down
GigabitEthernet1/0/24 unassigned YES unset up up
VMCisco3750_0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.160.1 to network 0.0.0.0
172.17.0.0/27 is subnetted, 1 subnets
C 172.17.0.96 is directly connected, Vlan4
S* 0.0.0.0/0 [1/0] via 192.168.160.1
C 192.168.160.0/20 is directly connected, Vlan1
VMCisco3750_0#
08-15-2007 10:32 AM
As Jon said your default gateway for subnet 192.168.160.0 should the L3 switch and then have a default route in the L3 switch pointing to the PIX. You are going to need a route in the PIX for the 172.17.0.0 subnet pointing to the L3 switch.
08-15-2007 10:50 AM
I think would run into the same problem that Jon mentioned earlier with packets entering and leaving the same interface which 6.3(5) wont allow.
08-15-2007 10:57 AM
Bill
You wouldn't as long as every network internally routed off your L3 switch. And then on your L3 switch you have a default route pointing to the pix.
The idea is that you only go to the pix inside interface when you want to go out through the pix not to get to another internal subnet. For routing internally use the L3 switch.
HTH
Jon
08-15-2007 11:14 AM
Alright, I see where you are going; I'll have to think this one out a bit.
I think the best option for my environment would be to directly connect the 172.17 network to the PIX, so I?ll see if I have any open interfaces to work with.
Thanks for all the help!
08-15-2007 12:29 PM
If you need to Firewall the 172.17 subnet independently from the 192.168.160 subnet then conecting it to another interface in the PIX it's the way to go. If you don't need to firewall that subnet independently then the best way to do it is route with the L3 switch. Remember that the PIX it's not a router and it's slower than a L3 switch. If you need high speed connection between those subnets the PIX will just make it slower.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide