PIX not routing inside traffic

Answered Question
Mar 2nd, 2010
User Badges:

I have a subnet 192.168.1.0/24 that  has a PIX515 as the default gateway at 192.168.1.1.  All clients on the LAN use the PIX as their default gateway.  Recently I added a router with IP 192.168.1.2 that has a second subnet 192.168.2.0/24 connected to it.  This being a simple LAN with no routing protocols configured I added the following statement to the PIX:


"route inside 192.168.2.0 255.255.255.0 192.168.1.2"


For some reason this doesn't work for me.  To test I added the route statement directly to the clients (Windows) with:


"route add 192.168.2.0 mask 255.255.255.0 192.168.1.2"


and this does work. So apparently the PIX is not redirecting traffic to the 192.168.1.2 router correctly.


How do I fix this?


Thanks,

Diego

Correct Answer by mlund about 7 years 4 weeks ago

Hi


As Jon already explained, pix doesn't route back traffic on same interface it receives, unless it is code 7


So one option is to upgrade the pix.


Another option is to make the router 192.168.1.2 default-gateway for 192.168.1.0 users.

In the router also configure "ip route 0.0.0.0 0.0.0.0 192.168.1.1"


This way a client, talking to internet, sends first packet to defaultgateway(192.168.1.2), the router receives the packet sends it out to pix and also sends an icmp redirect to the client, informing that the client should use the 192.168.1.1 instead.


A client talking to 192.168.2.0 net, is sending the packet to default-gateway(192.168.1.2), wich is the router connecting the two networks.


/Mikael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
KARUPPUCHAMY MA... Tue, 03/02/2010 - 06:20
User Badges:
  • Silver, 250 points or more

Hi,


I got the problem.


In the initial case, if the client from 192.168.1.0 network initiating the traffic towards 192.168.2.0 network, the packet flow like this


client (192.168.1.0/24) --- > Firewall Inside interface --- > Router interface (192.168.1.2) --- > the destination IP(192.168.2.0)


But the return traffic is will not follw the same path, since the router knows the client by MAC address(because the router has the same network range ip 192.168.1.2) and it will forward the packet to the client directly.


Since forward traffic flow is via firewall and the return traffic flow is not via firewall.


If the traffic is initating from 192.168.2.0 network to 192.168.1.0, the packet will reach the gateway (router), Since router knows the destination network directly, it will forward the packet directly.But the return traffic from 192.168.1.0 to 192.168.2.0, the packet will go via firewall .Because your Gateway is firewall.


Since it is one way connection firewall will not allow the traffic and you cannot ping.


cleint 192.168.2.0 --- > router  --->> cleint 192.168.1.0  // Forward traffic


The return traffic for the above is 192.168.1.0 --- > Firewall --->router --->192.168.2.0


To avoid such a scenario,


1.First option is connect your router in firewall with different interface and configure static route to reach 192.168.2.0.This will avoid to add routes in client


2.Second option is configure no ip proxy-arp in your router interface.This will avoid this scenario and no need to add any routes in clients


regards

Karuppu

DIEGO ALONSO Tue, 03/02/2010 - 19:39
User Badges:

Not sure I follow your logic but I can only take option #2 since I don't have any extra interfaces on my devices.  In any case, it seemed like a logical thing but the "no ip proxy-arp" command did not make a difference.  I still have to add routes to my clients to get to the 192.168.2.0/24 subnet.


Any other ideas?  Maybe I should repost in the firewalling group?


Thanks,

Diego

KARUPPUCHAMY MA... Tue, 03/02/2010 - 19:46
User Badges:
  • Silver, 250 points or more

Hi,


can you paste the output of the below command in the router


sh run | i ip route


You should have a route to 192.168.1.0/24 towards firewall and remove the routes in the client.


hope it should work


regards

karuppu

Jon Marshall Tue, 03/02/2010 - 22:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Diego


There are a couple of issues here.


1) Traffic cannot go be routed back out of an interface it was received on to get to the destination on a pix. More specifically that is the default behaviour but if you have pix code v7.x onwards then you can change this with something called hairpinning. If you are running v6.x or earlier code you can't and would need to upgrade.


Have you enabled this ?


2) As already explained if the router has an interface in the 192.168.1.2 network it can reply directly to clients ie.


client 192.168.1.10 wants to talk to 192.168.2.10. It sends packet to pix as it's default-gateway. pix forwards it on to router and router forwards to client 192.168.2.10.


But when 192.168.2.10 sends the packet back the destination IP is 192.168.1.10. It gets to the router but the router has a directly connected interface in the 192.168.1.x network so it won't send it to the pix it will arp out for the 192.168.1.10 client and when it gets a response it sends it directly to the client so the pix never sees the return flow.


The way to fix this would be to NAT all 192.168.1.x source IP addresses to the pix 192.168.1.x address on the interface. Then when the router forwards  the packet back from 192.168.2.10 it will see a destination IP of the pix and send the traffic to it. The pix will then translate it back and forward it back to the 192.168.1.x client.


Jon

Correct Answer
mlund Wed, 03/03/2010 - 04:17
User Badges:
  • Silver, 250 points or more

Hi


As Jon already explained, pix doesn't route back traffic on same interface it receives, unless it is code 7


So one option is to upgrade the pix.


Another option is to make the router 192.168.1.2 default-gateway for 192.168.1.0 users.

In the router also configure "ip route 0.0.0.0 0.0.0.0 192.168.1.1"


This way a client, talking to internet, sends first packet to defaultgateway(192.168.1.2), the router receives the packet sends it out to pix and also sends an icmp redirect to the client, informing that the client should use the 192.168.1.1 instead.


A client talking to 192.168.2.0 net, is sending the packet to default-gateway(192.168.1.2), wich is the router connecting the two networks.


/Mikael

DIEGO ALONSO Thu, 03/04/2010 - 15:20
User Badges:

Thanks guys for all the help.


Seems like the solution proposed by Mike is the easiest and simplest to implement.


Thanks again, Diego

Actions

This Discussion