pix 506e and static routing

Unanswered Question
Dec 3rd, 2009
User Badges:

Hi,


I have pix 506e that is not behaving the way it should.  I have three private networks, 10.100.150.x, 10.100.152.x, and 10.100.159.x.  The Pix is 10.100.150.32.  I added static routes for the 152 and 159 networks but I can't ping them or see them.  If I add a static route to windows (route add 10.100.159.0 mask 255.255.255.0 10.100.150.254) then I can ping and view everything on the 159 network.  Why can't the PIX do the routing?  What did I do wrong?


Thanks,

Adam


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lfkjsdlfsjfl3 encrypted
passwd fjf534df34fk4jk4 encrypted
hostname pix506e
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.150.198 PyramidAlarm2
name 10.100.150.197 PyramidAlarm1
name a.b.c.d PyramidAlarm
access-list outside_access_in permit tcp host PyramidAlarm interface outside eq 8888 log
access-list outside_access_in permit tcp host PyramidAlarm interface outside eq 8887 log
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside x.y.z.125 255.255.255.240
ip address inside 10.100.150.32 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.100.150.50 255.255.255.255 inside
pdm location 10.100.152.0 255.255.255.0 inside
pdm location PyramidAlarm1 255.255.255.255 inside
pdm location PyramidAlarm2 255.255.255.255 inside
pdm location PyramidAlarm 255.255.255.255 outside
pdm location 10.100.159.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.100.150.50 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8888 PyramidAlarm1 8888 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8887 PyramidAlarm2 8887 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.161.69.126 1
route inside 10.100.152.0 255.255.255.0 10.100.150.254 2
route inside 10.100.159.0 255.255.255.0 10.100.150.254 3
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.100.150.50 0123456789abcdef timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+ LOCAL
http server enable
http 10.100.150.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.100.150.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.100.150.66-10.100.150.254 inside
dhcpd dns 206.141.192.60 206.141.192.55
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username jason password randomtext encrypted privilege 15
terminal width 80
Cryptochecksum:somerandomvalue
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 12/03/2009 - 09:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pcguy1111 wrote:


Hi,


I have pix 506e that is not behaving the way it should.  I have three private networks, 10.100.150.x, 10.100.152.x, and 10.100.159.x.  The Pix is 10.100.150.32.  I added static routes for the 152 and 159 networks but I can't ping them or see them.  If I add a static route to windows (route add 10.100.159.0 mask 255.255.255.0 10.100.150.254) then I can ping and view everything on the 159 network.  Why can't the PIX do the routing?  What did I do wrong?


Thanks,

Adam



Adam


A pix firewall running v6.x code cannot route traffic back out the same interface it was received on ie. so if the packet comes in on the inside interface it cannot then send it back out to it's destnation via the inside interface.


Pix/ASA devices running v7.x/8.x code can do this - it is a feature called hairpinning and was added after the 6.x code.


Unfortunately pix 501/506e firewalls cannot run v7.x code ie. they can't be upgraded. A minimum of pix 515e was needed to upgrade.


Jon

pcguy1111 Thu, 12/03/2009 - 09:53
User Badges:

Thank you for the information.  I guess it is a good thing we are replacing the 506e with a Sonicwall NSA 2400 in a couple of months.


Thanks,

resoares Thu, 12/03/2009 - 09:48
User Badges:
  • Cisco Employee,

Hi ,


Take a look at the following link and it explains why PIX doesn't suppot ICMP redirects:



http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml



In your case, you've configured ICMP redirect and it means that a specific traffic comes from interface inside and uses the same one to reach the destin
ation.


An example of your scenario:


Hosts Inside LAN ---> PIX ---> Inside LAN Router (.254) --> External


Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is       permitted, but the incoming reply is denied by default.



Best Regards,

Panos Kampanakis Thu, 12/03/2009 - 14:48
User Badges:
  • Cisco Employee,

Hairpinning is not recommended on firewalls.


If something is behind your inside and needs to talk to something on the inside internal routing should take care of it.

Having the firewalls act as routers (sending icmp redirects, hairpinning etc) is not their primary purpose.


On later ASA/PIX code version you COULD make it work.


But again, a network should be desinged to use a firewall as a firewall not as a router. Anything behind the inside is the same security level for the firewall should equally trusted people should be able to talk to each other directly and not be "firewalled".


PK

Actions

This Discussion