Pix 501, Outside Interface is non-routable

Unanswered Question
Nov 19th, 2009

I know my setup is ugly. I am double NAT'ing the pix as it sits behind my linksys router. So, the linksys gave the pix an IP via DHCP. I am able to browse to the machines behind the pix locally while connected to my network on the linksys, but unable to access the pix via ssh or the other machines behind via port redirection. Here is what I've done that I thought would work.

I exposed the pix outside IP which is non routable and given by the linksys router as the DMZ. This should open all ports and allow connectivity to the pix. However, it appears that I need to add a NAT for my real IP given by my ISP on the pix to NAT to the non-routable outside interface of the pix which is connected to a port on the linksys.

My question is, how can I NAT my real outside IP to my non routable outside interface on my pix. I was thinking of doing the following but not sure if it would work.

I was thinking of creating a mgmt interface and create a NAT from the public IP from the ISP to the mgmt interface. But i'm not 100% that this would resolve the problem because I still would need to access the workstations behind it using port redirection.

Thanks for any insight.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 11/19/2009 - 18:17

Pls. provide us a topology next time you post a question and exactly indicate where the client or server lives.

So the topology is as follows:

inside_network--PIX--Linksys---Internet---client

You are trying to ssh to the PIX from the client on the internet?

You need to do translation on Linksys.

stephenq78 Thu, 11/19/2009 - 18:23

Topology is as follows:

DSL Modem - Linksys Router - Pix FW - netgear switch.

I agree with you, I need to NAT, but how can I nat the real actually IP provided by my ISP provider to the outside interface of the pix which is behind the linksys?

How will I configure a static to read :   static (outside,outside)

Because I need for the real ip provided by my isp to be nat'd to the outside interface which is actually a private ip given by the linksys.

and thanks for you help.

Kureli Sankar Thu, 11/19/2009 - 19:43

What is the purpose of the Linksys Router? Can you eliminate that?

If the Linksys is only for dhcp purpose you can do that on the PIX501. If it is providing wireless access, then it is better to move it behind the PIX.

I am not sure how translation works on Linksys. So, I can't help you there.

static (outside,outside) is not going to work. That is to U-Turn traffic and same security traffic feature is not there in the 6.x code which the PIX501 runs.

stephenq78 Thu, 11/19/2009 - 20:34

Well I didn't want to completely remove the linksys router but I guess I will have to put it behind the pix if their is no other config that will work. NAT'ing on the linksys wont work as I tried that already. The only thing I can think of would be to create a mgmt interface and NAT that to the public IP of my dsl modem. But in doing that, will I be able to use port redirection to the other workstations that are behind the pix is my question.

Kureli Sankar Thu, 11/19/2009 - 20:43

I am not sure how NAT config works or is configured on the Linksys so, I unable to say.

If you were to do the same thing on the PIX which

1. do static pat for certain ports to certain inside hosts

2. do static pat for certain other ports to the dmz hosts

will work with one public IP address. So, give it a shot and see if it work just do it for tcp port 22 and configure ssh for that new interface.

I believe the PIX should protect the Linksys so, it makes sense to move it behind the PIX.

Jon Marshall Fri, 11/20/2009 - 04:55

I agree with Kusankar. If the linksys router is only serving as a router and the DSL modem presents as ethernet to the linksys then i would simply eliminate the linksys router altogether and just have the pix DHCP for it's outside IP address.

If the linksys router is using wireless then it is more of an issue. It's not as simple as moving it behind the pix because then you have wireless directly on your LAN.


What exactly is the linksys doing and does the DSL modem present as ethernet ?

Jon

stephenq78 Fri, 11/20/2009 - 11:15

The linksys is serving as a wireless access point for my wireless network. I guess

the hardest part for me to figure out is why wont the pix interpret the outside interface for my real routable IP. All the workstations behind the pix are able to ping.

so here is an example of my setup.

the workstations behind the pix are lets say 1.1.1.1-.5. so on the pix i have a nat for 10.1.1.1-.5 NAT'd to 172.1.1.1-.5 Since my Linksys network is 172.1.1 i static NAT'd the workstations behind the pix to an available IP from the linksys network. so on the linksys network i can rdp, ftp, telnet, browse etc to the devices behind the pix using the 172.1.1.x IP since it NAT'd to the 10.1.1.x that the workstations reside on.

Now i'm assuming that shouldnt the Linksys also send that same traffic to the outside interface since i have the outside interface of the pix exposed as the DMZ on the linksys.

Jon Marshall Fri, 11/20/2009 - 11:50

Stephen

It depends on the NAT settings on your linksys ie. you would need to NAT or more likely port forward on the linksys to the outside interface of the pix.

Do you know what the linksys is doing regarding NAT/PAT ?

Jon

stephenq78 Fri, 11/20/2009 - 11:55

Yes, so, I tried to do a port forwarding to the outside interface on port ssh for testing and that did

not work. Now i haven't tried to access the workstations from the internet using port redirection on the pix because i assumed that if i couldn't ssh to the pix i wont be able to access the devices behind it.

the linksys is NAT'ing but I'm thinking the pix wants a NAT for my external ip. Not sure just throwing something out their.

Jon Marshall Fri, 11/20/2009 - 12:06

stephenq78 wrote:

Yes, so, I tried to do a port forwarding to the outside interface on port ssh for testing and that did

not work. Now i haven't tried to access the workstations from the internet using port redirection on the pix because i assumed that if i couldn't ssh to the pix i wont be able to access the devices behind it.

the linksys is NAT'ing but I'm thinking the pix wants a NAT for my external ip. Not sure just throwing something out their.

     Stephen

The pix wouldn't really care too much about whether it had an external IP or not in this scenario. Perhaps you should try port forwarding on the linksys to a host behind your pix ie try this

host/server behind pix = 192.168.5.0


service running on server = http

port forward on the linksys - public IP port 80 to 192.168.5.10 80

then on the pix

static (inside,outside) 192.168.5.10 192.168.5.10

obviously you will also need to allow the traffic through the pix with an acl eg.

access-list outside_in permit tcp any host 192.168.5.10 eq 80

Jon

stephenq78 Fri, 11/20/2009 - 14:05

Ok, thanks to you all for help and responses. I have it up and running. Looks like it was an ID10T error on my part. I was about to post my config when I realized I had a static route by accident on the linksys pointing to the wrong network. I was using a previous config on my old lab and that was the culprit. So ok, just in case someone else runs into this issue and wants to know what was done or just an FYI.

I have some workstations in front of the pix connected to a linksys and some behind the pix. The reason for this config is for lab purposes. I have several vritual machines and networks running off of these servers.

The pix outside interface has an internal ip supplied via dhcp from the the linksys. I have exposed the linksys as the DMZ. I have the default route of the pix pointing to the IP of the linksys. I have a NAT for the devices and virtuals behind the pix pointed to available IP's of the linksys network.

On the pix i am using port redirection to connect to the workstations behind the pix. This can also be accomplished using the linksys port forwarding but i prefer the the port redirection on the pix. Also, I have a vpn tunnel that I am able to use to vpn to the pix and access the device behind it if need be.

Again thank you all for your help. This site is awesome.

Actions

This Discussion