Pix 506 and static routing on trusted interface

Unanswered Question
Jul 3rd, 2006
User Badges:

Hi,




I have recently buy one Cisco Pix 506.


Is more day I search to configure a static route in a internal interface but not works?



The internal interfaced is configured 192.168.1.2 255.255.255.0


The esternal interface is configured 85.x.162.194 255.255.255.248 default gateway is 85.x.162.193


My problem is made a static route for when at the internal interface arrive the request pachet IP in this range (192.168.0.0 255.255.255.0) the router send this pachet to a default gateway in the inside interface (Gateway 192.168.1.2 255.255.255.0)



I past this configuration for explain but not works L



PIX Version 6.3(5)


interface ethernet0 auto


interface ethernet1 auto


nameif ethernet0 outside security0


nameif ethernet1 inside security100


enable password xxxx


passwd xxxx


hostname pixfirewall


domain-name ciscopix.com


fixup protocol dns maximum-length 512


fixup protocol ftp 21


fixup protocol h323 h225 1720


fixup protocol h323 ras 1718-1719


fixup protocol http 80


fixup protocol rsh 514


fixup protocol rtsp 554


fixup protocol sip 5060


fixup protocol sip udp 5060


fixup protocol skinny 2000


fixup protocol smtp 25


fixup protocol sqlnet 1521


fixup protocol tftp 69


names


pager lines 24


mtu outside 1500


mtu inside 1500


ip address inside 192.168.1.7 255.255.255.0


ip audit info action alarm


ip audit attack action alarm


pdm location 192.168.0.0 255.255.255.0 inside


pdm logging informational 100


pdm history enable


arp timeout 14400


global (outside) 1 interface


nat (inside) 1 0.0.0.0 0.0.0.0 0 0


route outside 0.0.0.0 0.0.x.x.42.162.193 1


route inside 192.168.0.0 255.255.255.0 192.168.1.1 1


timeout xlate 0:05:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00


timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout sip-disconnect 0:02:00 sip-invite 0:03:00


timeout uauth 0:05:00 absolute


aaa-server TACACS+ protocol tacacs+


aaa-server TACACS+ max-failed-attempts 3


aaa-server TACACS+ deadtime 10


aaa-server RADIUS protocol radius


aaa-server RADIUS max-failed-attempts 3


aaa-server RADIUS deadtime 10


aaa-server LOCAL protocol local


http server enable


http 192.168.1.0 255.255.255.0 inside


no snmp-server location


no snmp-server contact


snmp-server community public


no snmp-server enable traps


floodguard enable


telnet timeout 5


ssh timeout 5


console timeout 0


dhcpd address 192.168.1.50-192.168.1.100 inside


dhcpd lease 3600


dhcpd ping_timeout 750


dhcpd auto_config outside


terminal width 80


Cryptochecksum:xxx


: end


pixfirewall(config)#





This configuration works, but in old Cisco 837 and no give me problem:



ip classless


ip route 0.0.0.0 0.0.0.0 ATM0.1


ip route 192.168.0.0 255.255.255.0 192.168.1.1


ip route 192.168.2.0 255.255.255.0 192.168.1.1


ip route 192.168.3.0 255.255.255.0 192.168.1.1





But whit this firewall non works?..



Please help me becouse I want implemente this firewall but no found a good configuration.




Thanks in advanced!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.kiprawih Mon, 07/03/2006 - 05:58
User Badges:
  • Gold, 750 points or more

Hi,


Your ip address for the outside interface is missing. Is it a typo error?


Anyway, from where do you expect the network traffic destine for 192.168.0.0 255.255.255.0 originates/comes from? Is it coming from the inside interface itself, arrived at PIX inside interface (ethernet 0) and you expect PIX to send/route it to 192.168.1.1? This is based on your old C837 router config.


What is the router with IP of 192.168.1.1 routing configuration statement looks like that made it send the traffic (192.168.0.0/24) to 192.168.1.2? Can you post the config?


FYI, it is totally different when you used router to do routing compared to PIX. Router is intelligent to do routing, but not PIX, e.g redirecting traffic from an interface to another or other devices.


Rgds,

AK

masterx81 Mon, 07/03/2006 - 06:19
User Badges:

For You is correct this observation????


I hope is not corret :-(


Thanks!





The PIX is not a router in the sense you want to use it.


"route inside ....... " will route packets coming from the outside to a

valid inside gateway,

but it will not reroute packets coming from the inside back to an inside

gateway.


So if your PC have the PIX as the default gateway , you cannot reroute some

packets to the

VPN concentrator. You will need either another router or a static route

on the PC.

a.kiprawih Mon, 07/03/2006 - 06:23
User Badges:
  • Gold, 750 points or more

I am trying to understand your question.


Where this network traffic destine for 192.168.0.0 255.255.255.0 originates/comes from?


Is it coming from the inside interface itself, arrived at PIX inside interface (ethernet 0) and you expect PIX to send/route it to 192.168.1.1?


Rgds,

AK

masterx81 Mon, 07/03/2006 - 06:33
User Badges:

Hi,

sorry for my bad english...

The static route I wont works when a machine connect in a trusted zone of pix, call a IP in different subnet and for go to this subnet the statir route send the request to one internal trusted gateway example 192.168.1.1.


I hope you understand...


call to pix in a trusted, pix have a static ropute for a definite subnet and the trusted interface send the call to another default gateway.



Thanks in advanced!!!


a.kiprawih Thu, 07/06/2006 - 04:31
User Badges:
  • Gold, 750 points or more

Is it solved/working now?


Rgds,

AK

masterx81 Fri, 07/07/2006 - 07:13
User Badges:

NO :-(


But i have read in the manual of the command, ther eis one command for made a static route and is:

route and there is one example clear for undestand the static route:


route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1


But when i modifi this command for add at my router the router give me error...


Please help me :-(


grant.maynard Fri, 07/07/2006 - 07:39
User Badges:
  • Silver, 250 points or more

You don't have a dmz.


Your observation is correct: the PIX will not redirect packets from the inside to the inside.


To get round this, use 192.168.1.1 (the internal router) as default gateway for all hosts on 192.168.1.x. Do not use the PIX as your default gateway.

Actions

This Discussion