Urgent Help: PIX and VLANs issue

Unanswered Question
Jul 28th, 2004

Hi,

I am using PIX to protect my 3 VLANs. PIX is connected to the trunk ports on the switch.

E0 has 253, 556, 557 VLANs

253=253.12

556=156.254

557=157.254

E1 has 52, 156, 157

52=52.1

156=192.168.156.1

157=192.168.157.1

IPs assigned to VLANs on the router are:

253 - X.X.253.1

556 - X.X.156.1

557 - X.X.157.1

52 - no IP

156 - no IP

157 - no IP

So basicly, VLAN 52 is transparent, and VLANs 156, and 157 are NATed. Vlan 253 is path outside to the Internet.

I can ping all interfaces on the PIX from the router. VLAN 52 also works fine (it uses physical interface). However, VLANs 156 and 157 (that use logical interface cannot go out. It seems like some translation issu.

Here is the config of the PIX and error messages I get when I try to go out of VLAN 156.

:

PIX Version 6.3(1)

interface ethernet0 100basetx

interface ethernet0 vlan253 physical

interface ethernet0 vlan556 logical

interface ethernet0 vlan557 logical

interface ethernet1 100basetx

interface ethernet1 vlan52 physical

interface ethernet1 vlan156 logical

interface ethernet1 vlan157 logical

nameif ethernet0 int253 security0

nameif ethernet1 int52 security99

nameif vlan556 int556 security0

nameif vlan557 int557 security0

nameif vlan156 int156 security99

nameif vlan157 int157 security99

no fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

no fixup protocol http 80

no fixup protocol ils 389

no fixup protocol rsh 514

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

no fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

names

pager lines 24

logging on

logging timestamp

logging console debugging

logging monitor notifications

logging history notifications

mtu int253 1500

mtu int52 1500

ip address int253 x.x.253.52 255.255.255.0

ip address int52 x.x.52.1 255.255.255.0

ip address int556 x.x.156.254 255.255.255.0

ip address int557 x.x.157.254 255.255.255.0

ip address int156 192.168.156.1 255.255.255.0

ip address int157 192.168.157.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address int253

no failover ip address int52

no failover ip address int556

no failover ip address int557

no failover ip address int156

no failover ip address int157

arp timeout 14400

global (int556) 1 x.x.156.2-x.x.156.250

global (int557) 2 x.x.157.2-x.x.157.250

nat (int52) 0 x.x.52.0 255.255.255.0 0 0

nat (int157) 2 192.168.157.0 255.255.255.0 0 0

nat (int156) 1 192.168.156.0 255.255.255.0 0 0

conduit permit ip any any

conduit permit tcp any any

conduit permit udp any any

router ospf 1

network x.x.0.0 x.x.0.0 area 0

log-adj-changes

redistribute connected subnets

redistribute static subnets

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

Please help. Thanks in advance.

Senad P.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gfullage Wed, 07/28/2004 - 18:34

To go from a higer security interface (156 and 157) to a lower (253), you need a nat/global pair (or a static). You have a nat statement for 156 and 157, but no global for 253. Something like the following should get you going:

global (int253) 1 interface

global (int253) 2 interface

This'll PAT everything from 156 and 157 ints to the interface address on 253 (x.x.253.52). If you want to PAT them to a specific other address then replace the "interface" keyword above with that address.

spalislam Wed, 07/28/2004 - 19:49

Thanks gfullage,

My question is why do I have to have int253 as well? Is it because int556 and int557 are logical interfaces? The reason I am asking is because I do not want to send the 156 and 157 traffic out of PIX to VLAN 253. My Vlan mapping is:

vlan 156 inside goes to vlan 556 outside.

vlan 157 inside goes to vlan 557 outside.

vlan 52 (because there is no NAt involved) goes out via vlan 253. Vlan 253 is core router vlan.

I don't want to use PAT. Now what would happen if I have to global (overlapping statements) such as

global (int556) 1 x.x.156.2-x.x.156.250

global (int253) 1 x.x.156.2-x.x.156.250.

Would this work?

Like I said, my intention is to move traffic from vlan 156 to vlan 556.

Thanks,

spalislam Tue, 08/03/2004 - 07:20

Thanks for the help. I got it to work. However, now I have a different problem. The connection is up for about 1-2 hours and then stops. There is still about half of the RAM free and CPU utilization is about 12%. ICMP traffic continues to flow, TCP stops entirely, and UDP sometimes works sometimes does not (nslookup). I would clear arp and xlate and it would start working for about an hour and then stops again (only for TCP). My ssh and http to pix does not work either. There is no blocked traffic via rulesets at all.

Could it be bad PIX? or maybe an Attack?

Attached are the error messages and new config file.

spalislam Tue, 08/03/2004 - 07:27

Thanks for the help. I got it to work. However, now I have a different problem. The connection is up for about 1-2 hours and then stops. There is still about half of the RAM free and CPU utilization is about 12%. ICMP traffic continues to flow, TCP stops entirely, and UDP sometimes works sometimes does not (nslookup). I would clear arp and xlate and it would start working for about an hour and then stops again (only for TCP). My ssh and http to pix does not work either. There is no blocked traffic via rulesets at all.

Could it be bad PIX? or maybe an Attack?

Attached are error messages (debug) and the new config file.

spalislam Fri, 08/06/2004 - 08:26

OK, I resolved this one as well. I had an old router somewhere on the network advertising 52.1 IP and change the routes.

Some some packets would go as they should, some packets would get lost.

All good now.

However, I've got a new question regarding interfaces. Does it matter if VLAN interfaces are all the same numbering, like in the example above:

vlan 541

vlan 556

vlan 557

vlan 253

all being security0

and

vlan 141

vlan 156

vlan 157

vlan 52

all being security99.

Or should they all have a different security levels?

Actions

Login or Register to take actions

This Discussion

Posted July 28, 2004 at 5:40 PM
Stats:
Replies:5 Avg. Rating:
Views:159 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard