01-09-2007 11:43 AM - edited 03-11-2019 02:17 AM
Hi there,
I have a Cisco PIX 501 connected to ADSL via PPPoE. It's working fine. I also just purchased a Linksys WRT54GL primarily for providing QoS (Vonage) for the LAN side. Here's my IP setup:
192.168.1.76 - PIX 501
192.168.1.39 - Linksys WRT54GL (WAN Port)
192.168.1.77 - DNS Caching Server
192.168.2.1 - Linksys WRT54GL (LAN Side)
- DHCP allotting in *.2.100 range
I can ping the PIX (192.168.1.76) from my LAN client which has an IP of 192.168.2.100, but I cannot ping the DNS, i.e. (192.168.1.77). I have a static route on the PIX:
route inside 192.168.2.0 255.255.255.0 192.168.1.39 1
When I ping 192.168.1.77 (from 192.168.2.100), I get a "No route for 192.168.2.100 from 192.168.1.77" even though my static route should have covered this.
What am I doing wrong?
Also, if I wanted to use RIP v2 for dynamic routing, would I enable this? The Linksys (with DD-WRT firmware) understand RIP v2 and OSPF.
Note that the WRT54GL is running in non-gateway mode, i.e. does only routing, and no NAT.
01-09-2007 11:54 AM
Can you post up your config?
01-09-2007 01:10 PM
Jim,
I'll post my config little bit later when I get home. Thanks!
01-09-2007 02:59 PM
Here's the config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pix
domain-name local
clock timezone AST -4
clock summer-time ADT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol mgcp 2427
fixup protocol mgcp 2727
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip 5061
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 192.168.1.77 linksys
name 192.168.1.15 g5
name 192.168.1.13 pb
name 192.168.1.80 vonage
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 109 permit tcp any interface outside range 6881 6882
access-list 109 permit udp any interface outside range 6881 6882
access-list 109 permit tcp any interface outside eq ssh
access-list 109 permit ip any interface inside
access-list 109 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 109 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 permit udp 192.168.1.0 255.255.255.0 host linksys eq syslog
access-list 110 permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.0
access-list caplog permit udp any host linksys eq syslog
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging history debugging
logging facility 22
logging host inside g5
no logging message 304001
no logging message 111005
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.76 255.255.255.0
ip verify reverse-path interface outside
ip audit name info info action alarm
ip audit name attack attack action alarm drop reset
ip audit interface outside info
ip audit interface outside attack
ip audit info action alarm
ip audit attack action drop
ip local pool ippool 172.16.1.1-172.16.1.255
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.76 255.255.255.255 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location pb 255.255.255.255 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location linksys 255.255.255.255 inside
pdm location 192.168.1.101 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface ssh g5 ssh netmask 255.255.255.255 0 0
access-group 109 in interface outside
rip inside default version 2
route inside 192.168.2.0 255.255.255.0 192.168.1.39 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
ntp server 216.168.105.34 source outside
ntp server 216.138.199.179 source outside
ntp server 142.179.100.217 source outside
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server enable traps
tftp-server inside linksys /pix
floodguard enable
fragment chain 1
sysopt connection permit-ipsec
auth-prompt reject "No Way"
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname x
vpdn group ISP ppp authentication pap
vpdn username X password X
terminal width 80
01-10-2007 12:47 AM
Hi,
I am a bit confused.
From what I see here, the traffic from LAN to DNS will not pass PIX.
Where do you receive the "no route" message.
Please rate if this helped.
Regards,
Daniel
01-10-2007 12:46 PM
I see the "No route" message on the PIX. The DNS server is just one example of what I can't get to. Basically, I can't access any host on the 192.168.1.0/24 subnet other than the PIX which is acting as the gateway to the Internet via ADSL.
I would like to know if accessing my 192.168.1.0 network is possible from 192.168.2.0 network. Is it?
01-10-2007 03:12 PM
Hi,
1/ I'm not sure that you can pass traffic between 2 interfaces with the same security level. In your example of ping, the source is your DNS server (inside) and the destination is also in inside...
2/ I think your ACL a bit stranger:
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 109 permit tcp any interface outside range 6881 6882
access-list 109 permit udp any interface outside range 6881 6882
access-list 109 permit tcp any interface outside eq ssh
access-list 109 permit ip any interface inside
access-list 109 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 109 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 permit udp 192.168.1.0 255.255.255.0 host linksys eq syslog
access-list 110 permit ip any any
access-group 109 in interface outside
There is no access-group on your interface inside?
Maybe you can try:
access-list 109 permit tcp any interface outside range 6881 6882
access-list 109 permit udp any interface outside range 6881 6882
access-list 109 permit tcp any interface outside eq ssh
access-list 109 permit ip any interface inside
access-list 110 permit ip any any
access-group 109 in interface outside
access-group 110 in interface inside
3/ Tell the PIX that your 192.168.2.0/24 network is on inside:
pdm location 192.168.2.0 255.255.255.0 inside
Hope it helps
Best regards,
KH
01-13-2007 11:53 PM
It didn't work... I don't know what I am doing wrong. I see traffic from the DNS server hit the PIX, where it seems to be not forwarded to the correct machine. I'll play with this some more and post more accurate observations. Thanks.
01-14-2007 01:38 PM
What's the default gateway on your LAN client? If the DNS server is on the inside of the pix between the pix and the linksys, the ping's should never even hit the pix.
01-15-2007 06:52 AM
The default gateway is that of the PIX on the DNS server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: