Re: PIX 501 and Linksys WRT54G

fcyousaf1 · ‎01-09-2007

Hi there,

I have a Cisco PIX 501 connected to ADSL via PPPoE. It's working fine. I also just purchased a Linksys WRT54GL primarily for providing QoS (Vonage) for the LAN side. Here's my IP setup:

192.168.1.76 - PIX 501

192.168.1.39 - Linksys WRT54GL (WAN Port)

192.168.1.77 - DNS Caching Server

192.168.2.1 - Linksys WRT54GL (LAN Side)

- DHCP allotting in *.2.100 range

I can ping the PIX (192.168.1.76) from my LAN client which has an IP of 192.168.2.100, but I cannot ping the DNS, i.e. (192.168.1.77). I have a static route on the PIX:

route inside 192.168.2.0 255.255.255.0 192.168.1.39 1

When I ping 192.168.1.77 (from 192.168.2.100), I get a "No route for 192.168.2.100 from 192.168.1.77" even though my static route should have covered this.

What am I doing wrong?

Also, if I wanted to use RIP v2 for dynamic routing, would I enable this? The Linksys (with DD-WRT firmware) understand RIP v2 and OSPF.

Note that the WRT54GL is running in non-gateway mode, i.e. does only routing, and no NAT.

jim · ‎01-09-2007

Can you post up your config?

fcyousaf1 · ‎01-09-2007

Jim,

I'll post my config little bit later when I get home. Thanks!

fcyousaf1 · ‎01-09-2007

Here's the config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pix

domain-name local

clock timezone AST -4

clock summer-time ADT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol mgcp 2427

fixup protocol mgcp 2727

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip 5061

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

name 192.168.1.77 linksys

name 192.168.1.15 g5

name 192.168.1.13 pb

name 192.168.1.80 vonage

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 109 permit tcp any interface outside range 6881 6882

access-list 109 permit udp any interface outside range 6881 6882

access-list 109 permit tcp any interface outside eq ssh

access-list 109 permit ip any interface inside

access-list 109 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 109 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 permit udp 192.168.1.0 255.255.255.0 host linksys eq syslog

access-list 110 permit ip any any

access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.0

access-list caplog permit udp any host linksys eq syslog

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging trap debugging

logging history debugging

logging facility 22

logging host inside g5

no logging message 304001

no logging message 111005

icmp deny any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.76 255.255.255.0

ip verify reverse-path interface outside

ip audit name info info action alarm

ip audit name attack attack action alarm drop reset

ip audit interface outside info

ip audit interface outside attack

ip audit info action alarm

ip audit attack action drop

ip local pool ippool 172.16.1.1-172.16.1.255

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.1.76 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location pb 255.255.255.255 inside

pdm location 192.168.1.14 255.255.255.255 inside

pdm location linksys 255.255.255.255 inside

pdm location 192.168.1.101 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

static (inside,outside) tcp interface ssh g5 ssh netmask 255.255.255.255 0 0

access-group 109 in interface outside

rip inside default version 2

route inside 192.168.2.0 255.255.255.0 192.168.1.39 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

ntp server 216.168.105.34 source outside

ntp server 216.138.199.179 source outside

ntp server 142.179.100.217 source outside

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server enable traps

tftp-server inside linksys /pix

floodguard enable

fragment chain 1

sysopt connection permit-ipsec

auth-prompt reject "No Way"

telnet 192.168.1.0 255.255.255.0 inside

telnet 172.16.1.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 60

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

management-access inside

console timeout 0

vpdn group ISP request dialout pppoe

vpdn group ISP localname x

vpdn group ISP ppp authentication pap

vpdn username X password X

terminal width 80

5220 · ‎01-10-2007

Hi,

I am a bit confused.

From what I see here, the traffic from LAN to DNS will not pass PIX.

Where do you receive the "no route" message.

Please rate if this helped.

Regards,

Daniel

fcyousaf1 · ‎01-10-2007

I see the "No route" message on the PIX. The DNS server is just one example of what I can't get to. Basically, I can't access any host on the 192.168.1.0/24 subnet other than the PIX which is acting as the gateway to the Internet via ADSL.

I would like to know if accessing my 192.168.1.0 network is possible from 192.168.2.0 network. Is it?

huynhkhay · ‎01-10-2007

Hi,

1/ I'm not sure that you can pass traffic between 2 interfaces with the same security level. In your example of ping, the source is your DNS server (inside) and the destination is also in inside...

2/ I think your ACL a bit stranger:

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 109 permit tcp any interface outside range 6881 6882

access-list 109 permit udp any interface outside range 6881 6882

access-list 109 permit tcp any interface outside eq ssh

access-list 109 permit ip any interface inside

access-list 109 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 109 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 permit udp 192.168.1.0 255.255.255.0 host linksys eq syslog

access-list 110 permit ip any any

access-group 109 in interface outside

There is no access-group on your interface inside?

Maybe you can try:

access-list 109 permit tcp any interface outside range 6881 6882

access-list 109 permit udp any interface outside range 6881 6882

access-list 109 permit tcp any interface outside eq ssh

access-list 109 permit ip any interface inside

access-list 110 permit ip any any

access-group 109 in interface outside

access-group 110 in interface inside

3/ Tell the PIX that your 192.168.2.0/24 network is on inside:

pdm location 192.168.2.0 255.255.255.0 inside

Hope it helps

Best regards,

KH

fcyousaf1 · ‎01-13-2007

It didn't work... I don't know what I am doing wrong. I see traffic from the DNS server hit the PIX, where it seems to be not forwarded to the correct machine. I'll play with this some more and post more accurate observations. Thanks.

bhatok · ‎01-14-2007

What's the default gateway on your LAN client? If the DNS server is on the inside of the pix between the pix and the linksys, the ping's should never even hit the pix.

fcyousaf1 · ‎01-15-2007

The default gateway is that of the PIX on the DNS server.