Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring Pix behind a Pix

Hi

We have one Pix sitting as f/w for our servers. I now want to configure another pix, whose outside interface is on the same subnet as the inside interface of the first Pix. The second Pix will be infront of our LAN, so you can consider the servers to be in a DMZ. the outside Pix is working fine, so i dont really want to touch that too much.

I have setup the second Pix pretty much the same as the first, however, I cannot seem to ping between dmz and LAN. With the same setup on the first pix, i can ping between the internet and dmz.

The only difference is, that the outside Pix has Natting, and i want to avoid it on the inside one, although if it is needed, then that is fine.

Internet --- Pix1 ---- Servers --- Pix2 ---- LAN

Any ideas of where i should look first ?

Thank you in advance.

Reagrds

Ali

19 REPLIES
Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Depending on the Pix version of software you could either

1) turn off nat ie. no nat-control

OR

2) use static entries ie. assuming your LAN is 192.168.5.0/24

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Both the above are changes you make on the new pix.

Jon

New Member

Re: Configuring Pix behind a Pix

Jon,

Thanks for your fast response !!

I have opted for the first option, although i also tried option 2. However, neither seem to be working. We are using Pix version 8.02 for both PIX's

The LAN security is 100

The Servers are 50

The outside of Pix1 is 0

So essentially, the inside int of Pix1 and outside int of Pix2 are both on 50, and i have allowed hosts on the same security level to talk to each other.

For Pix1, i have the following Static routes (if that helps)

route outside 0.0.0.0 0.0.0.0 190.xxx.yyy.1 1

route outside 192.168.5.0 255.255.255.0 LAN 1

(where 190.xxx.yyy.1 is our router/gateway to the internet)

For Pix2, i have the following Static routes

route outside 0.0.0.0 0.0.0.0 192.168.105.1 1

Where 192.168.105.0/24 is the internal IP range of the DMZ

thanks a lot

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Where are your trying to communicate from and where to ? eg. IP addresses etc.

Have you allowed the access with acl's ?

Could you provide some more detail.

Jon

New Member

Re: Configuring Pix behind a Pix

Sorry Jon, for the confusion

The following apply

LAN - 192.168.5.0/24

DMZ - 192.168.105.0/24

The DMZ IPs translate statically to 190.xxx.yyy.0/24 on the outside int of Pix1. So on the inside we have 192.168.105.0/24

Pix2

Outside interface - 192.168.105.9

Inside interface - 192.168.5.1

We want the hosts on the LAN to be able to talk to the DMZ hosts, which by nature of a firewall it should, as it is outbound. (but it isnt)

We also want communication from 192.168.105.0/24 (DMZ) to the LAN controlled by ACLs (which have been setup)

Internet

|

(190.xxx.yyy.0/24)

|

PIX with Static Nat

|

(192.168.105.0/24) = DMZ

192.168.105.9

|

PIX

|

LAN

Hope this helps

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

What is the default-gateway set to on the servers in the DMZ. If it is set to Pix1

1) Have you enabled hairpinning on that pix - i suspect you have because of your statement "i have allowed hosts on the same security level to talk to each other"

2) Your route -

route outside 192.168.5.0 255.255.255.0 LAN 1

this should read -

route inside 192.168.5.0 255.255.255.0 LAN1

Jon

New Member

Re: Configuring Pix behind a Pix

Jon,

The default gateway for the DMZ is the inside interface of Pix1, 192.168.105.1

1. We did not enable hairpinning as it was a real big issue, and in the end we edited host files for internal communication.

2. I have changed the static route as you have mentioned.

Now, we re getting somewhere. I can TS and ping both ways, from DMZ to LAN and vice versa. I cannot however access the internet from the LAN (but can from DMZ). Both TCP and UDP port 53 are open as well as http inbound on Pix1 and Pix2. I have a DNS server in the DMZ which i have made my DNS server for the LAN host for now. I can ping and TS both ways from and to, but cannot access the web. Perhaps there is still a small config adjustment to be made.

Thanks for your help

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

If you have NAT turned off then your internal addresses will not be changed so they will go out onto the Internet as 192.168.5.x which are not routable. Unless you have a catchall NAT statement on pix that translates all addresses arriving on it's inside interface.

If you don't need you need to modify pix1 to include 192.168.5.x in it's NAT statements so these addresses are Natted to a public IP before going onto the Internet.

Jon

New Member

Re: Configuring Pix behind a Pix

Hi Jon

Thanks for the suggestion, I got internet working, i can TS from LAN to dmz. I cannot ping from LAN to dmz, am i good to assume that this is because ICMP is not stateful connection, and my NAT is setup as follows

nat-control

global (Outside) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

In other words, as the ASDM shows, everything on the 192.168.5.0/24 range goes out through the inside interface and is mapped as the Outside interface. The arrow direction is outbound, there is nothing to show, inbound.

If this is the case, can you please advise how I can enable pinging from LAN to DMZ, and further to that if i can allow communication from DMZ to LAN, as this was working when i had no NATting.

Thanks a lot

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

then you need to have an acl on the DMZ interface to allow traffic into the LAN. Be careful with the acl, it should follow this logic

1) allow ICMP back to LAN

2) allow any ports from DMZ to LAN you want

3) deny all other traffic from DMZ to LAN

4) Permit all other traffic

without 4) the DMZ will not be able to communicate to other addresses reachable via different interfaces.

Jon

New Member

Re: Configuring Pix behind a Pix

Jon,

OK Thanks, but i am a little stuck.

1) was already in ACL

2) was already configured

3) there is an implicit rule which denies all inbound traffic on IP, after all the ACLs have been implemented. As you know, the outside interface of Pix2 sits in the inside-network/24 of Pix1, hence I assume I can use this implicit rule for 3)

4) Is this to be input into Pix1 or Pix2 ? if so, how do you go about with this rule ?

thanks a lot

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Have you set up the NAT statement at the start of my last post ie.

static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Jon

New Member

Re: Configuring Pix behind a Pix

Jon, yes i put that in, I ended up with two Nat statements

The first is the one i had, which says all the hosts in the Lan are translated to the IP of the outside interface. This works a treat as it started to allow web access, and TS into the DMZ. It didnt allow pinging because i think ICMP is stateless. (but i could not ping into the LAN as their IPs were being translated to the outside of the Pix2 nor could i TS into the LAN)

When I added your suggestion, that created some confusion in the system, so i removed my NAT stmt and left yours in. This allowed TS and ping both ways but didnt allow access to internet. I have the hosts pointing to a DNS server sittiing in the LAN.

Thanks

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Is there any chance of posting config of both pix firewalls or at the least the inside pix firewall ?

Jon

New Member

Re: Configuring Pix behind a Pix

Ok Jon, I have attached here the config for the inside Pix.

thanks

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Okay i see where i went wrong. I forgot that what we are calling the DMZ is not actually another interface on inside pix but still the outside interface. So when i asked you to add that other NAT statement that would indeed have created confusion. Apologies for that.

The reason i suspect that just adding my statement didn't work is because the outside pix does not how to route back to 192.168.5.0/24. So you could either

1) remove your existing nat & global statements, add the following

static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0

and make sure that the outside pix has a route back to the 192.168.5.0/24 network via the outside interface of the inside pix

OR

we could try policy NAT ie.

access-list inside_to_dmz permit ip 192.168.5.0 255.255.255.0 192.168.105.0 255.255.255.0

** static (inside,outside) 192.168.5.0 access-list inside_to_dmz

** Note - i don't have a pix/ASA to test on. The above syntax is not quite right - it could be

static (inside,outside) 192.168.5.0 255.255.255.0 access-list inside_to_dmz

or it might be some other combination. Apologies for being vague but i haven't confugured this in a while and i've forgotten the exact syntax.

Jon

New Member

Re: Configuring Pix behind a Pix

Jon

Thanks, i tried both methods, but wasnt successful with either. I am attaching the pix config for Pix1. (19x.yyy.zzz is a public IP range)

Which interface does the Static Route from Pix1 to 192.168.5.0/24 come from, is it inside or outside ? It is a little confusing, because in this case, the traffic from Pix1 travels on the inside of the f/w to Pix2 through the Outside interface of Pix2, but doesnt necessarily go through the inside interface of Pix1, am i right in thinking this is so ?

So i tried both methods and wasnt successful, however the Packet tracer seems to show that there is communication between both 192.168.5.0/24 and 192.168.105.0/24, i have tried different ports and different protocols.

Thanks for your help

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

The key parts of the config are -

1) Your Natting

global (outside) 1 interface

global (outside) 3 19x.yyy.zzz.9 netmask 255.255.255.255

global (inside) 1 interface

static NATTING here between inside and outside for all hosts on 1-2-1

Apart from the fact you have global statements with no corresponding nat statements there is no natting for the 192.168.5.0/24 IP addresses. The easiest way to fix this is

nat (inside) 4 192.168.5.0 255.255.255.0

global (outside) 4 interface

HOWEVER - because i can't make much sense of your NAT config on this firewall you need to be very careful. I can't guarantee it won't break anything. What you do need to do is ensure that 192.168.5.x addresses are translated to public IP(s).

Is there a chance some of the NAT config is missing ?

Also the 1-2-1 NAT's, are these all for 192.168.105.x servers ?

2) Routing -

route outside 192.168.5.0 255.255.255.0 192.168.105.9 2

This route should read -

route inside 192.168.5.0 255.255.255.0 192.168.105.9 2

Jon

New Member

Re: Configuring Pix behind a Pix

Hi Jon

Sorry its been a few days, i had taken time off. Just to let you know, that I managed to get it working thanks to your help throughout.

Essentially what i did, was to use the points you gave me in your replies, and created double-natting, so the same way i got the servers in the DMZ talking to the outside, i got the LAN hosts talking to the outside, albeit using static IPs, double natting them all the way to the internet

I would just like to say that i am really glad i bumped into you on this forum as you have really helped me out. I am by no means an expert and your help has really been appreciated.

Many thanks

Regards

Ali

Hall of Fame Super Blue

Re: Configuring Pix behind a Pix

Ali

Glad you got it working and glad to have been of help.

Jon

154
Views
21
Helpful
19
Replies
CreatePlease to create content