04-26-2008 04:25 AM - edited 03-11-2019 05:37 AM
Hi Techies,
I have been assigned project for setting up the security contexts on PIX firewall.
Please see the below tech details:
I have created two contexts i.e. Admin & CustA. I have decided to share the Outside interface between two contexts. I have enabled 'mac-address auto' on PIX firewall to avoid conflicting between ARP requests.Also both the physical ports on L2 switches are configured into Trunk mode.
Sh run for Admin Context:
interface inside
nameif inside
security-level 100
ip address 10.126.1.17 255.255.255.0
!
interface outside
nameif outside
security-level 0
ip address 10.10.10.200 255.255.255.0
access-list outside_access_in extended permit icmp any any
global (outside) 1 interface
nat (inside) 1 10.126.1.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
Sh run for CustA Context:
nterface E_inside
nameif inside
security-level 100
ip address 10.126.6.250 255.255.255.0
!
interface E_outside
nameif outside
security-level 0
ip address 10.10.10.201 255.255.255.0
access-list outside_access_in extended permit icmp any any
global (outside) 1 interface
nat (inside) 1 10.126.6.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
Problems:
I am able to ping 10.126.1.X network from CustA context. However, not able to ping 10.126.6.X network from Admin Context.
I am able to surf the Internet from Admin Context i.e. from 10.126.1.X network. However, the DNS server resides on 10.126.1.X network and hence not able to resolve DNS requests from CustA context.
Could someone please help me to resolve the above mentioned problem? Let me know if anybody requires any additional information.
Thanks,
JBP
04-26-2008 01:20 PM
I think your problem relies on how you are implementing or allowing icmp in each context, can you go over these two links, I beieve once you read it will help in solving some of your icmp issues.
asa icmp functionality
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#req
inspect icmp
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749
on the dns part there could be couple of things that may be in the way, first of all can you from CustA context ping by ip a public IP address to deternmined if you have outbound connectivity, try pinging www.yahoo.com by ip 69.147.114.210,if you get replies we know there is connectivity.
if you have the DNS server on admin context inside LAN I would assumed that you will need to NAT the DNS server and permit DNS port because you are comming from CustA context to Admin context for DNS queries but while the forum here tries to help here in your dns issue you could use in the meantime public DNS servers for CustA context.
Rgds
Jorge
04-27-2008 04:23 AM
Thanks for the information Jorge.
When i removed global commands and do static NAT on both the contexts for internal subnets, the ICMP between both the contexts started.and i have to extended my NAT translation on ISP routers. i.e,
Admin Context:static (inside,outside) 10.126.1.0 10.126.1.0 netmask 255.255.255.0 0 0
My Admin context are having all our servers like Active directory, File server, Internal DNS, Mail, etc... so it is a requirement to access of admin context from the CustA context.
The objective behind implementing contexts is to segregate one Inside VLAN traffic from other network VLANs. However we want to access admin contexts from other contexts so that we can have the access of all the servers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: