Solved: Re: pix 506e 6.3 static routing between two "inside" network

1820

Views

Helpful

Replies

Hello

I have pix and c3560. Behaind pix, on "inside" side is network: 10.0.1.0/24, behind c3560 is 172.26.39.0/24, c3560 has also ip 10.0.1.10. Ping between pix and c3560 is working in both direct. c3560 has default routing to 10.0.1.1 on pix

I need to set comunication between hosts in subnet 10.0.1.0/24 and 172.26.39.0/24 so on pix i try to set static routing to 172.26.39.0/24:

route inside 172.26.39.0 255.255.255.0 10.0.1.10

i see:

sh route
         outside 0.0.0.0 0.0.0.0 10.214.1.1 1 OTHER static
         inside 10.0.1.0 255.255.255.0 10.0.1.1 1 CONNECT static
         outside 10.214.1.0 255.255.255.0 10.214.1.11 1 CONNECT static
         inside 172.26.39.0 255.255.255.0 10.0.1.10 1 OTHER static

but ping from host1 10.0.1.3 to 172.26.39.1 don't work

i have acl on entry:

access-list acl_in permit icmp any any

access-list acl_in permit ip any any

and i have nat:

global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

and

access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0 172.26.39.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.26.39.0 255.255.255.0 10.0.1.0 255.255.255.0

imho there is problem with nat or routing on pix but i don't see where

thanks for some clue

1 Accepted Solution

Accepted Solutions

Hello,

The problem is that the packet will get to the firewall and then is going to be forwarded to the same interface, traffic between same security levels on Pix 6.3 is not supported.

This configuration is call hairpin and it is only supported in version 7.0 or later.

Here is the hairping config, take a look at the requirements

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Here is a document from this same forum

https://supportforums.cisco.com/message/862460

Hope this helps.

Mike

View solution in original post

4 Replies 4

Hello,

The problem is that the packet will get to the firewall and then is going to be forwarded to the same interface, traffic between same security levels on Pix 6.3 is not supported.

This configuration is call hairpin and it is only supported in version 7.0 or later.

Here is the hairping config, take a look at the requirements

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Here is a document from this same forum

https://supportforums.cisco.com/message/862460

Hope this helps.

Mike

Hi Piotr,

Can you give us an idea of what the topology looks like? Does traffic sourced from 10.0.1.0/24 destined to 172.26.39.0/24 hit the 3560 first? If so, the 3560 should take care of the routing and the PIX wouldn't be involved. This would assume that the PCs have a default gateway of their 3560 interface instead of the PIX inside interface.

-Mike

it's my topology:

http://80.48.65.210/schemat/schemat.png

For now pix1 have ipsec to pix2, s2s, and nat to internet. I think to make some change:

- vlan 100 with 10.0.1.0/24 will be only between pix and c3560

- vlan 200 remain without any change, default gateway for all hosts in this vlan on c3560

- new vlan 300 on c3560 with new ip addresses: eg 10.0.3.1/24 , default gateway for all hosts int this vlan

- c3560 will have default gw to pix

- pix will nat all source subnets: 10.0.3.0/24

But i'm not sure about pix again because i need to set static routing to vlan 200 and to new vlan 300, so it's hairpining again or i'm wrong ? I don't have physical access to pix, so if i make something wrong it'll be disaster.

thanks for any advice

Not sure I understand this completely, but I'll give it a shot.

You are adding vlan300 as a new L3 interface to your 3560. If this is the case, the routing will be handled by the 3560 for local traffic and it will NOT be processed by the Pix. According to your diagram, traffic will fail for any hosts on vlan100 communicating to vlan200 or vlan300 unless the 3560 is set as the default gateway. If the Pix is set as the default gateway for vlan100 hosts, they will not be able to communicate with vlans 200 and 300 for two reasons. 1) The traffic must be hairpinned back out the vlan100 interface on the Pix which is unsupported. 2) You have asymmetric routing which would not work even in version 7.0.

The best thing to do is create a /30 subnet between the Pix and the 3560. (Basically what I believe you are already proposing for vlan100). You would then route all internal traffic via the 3560. Be sure that the only two hosts on that subnet are the Pix and the 3560 L3 switch. Once this is done, you can then add your NAT rules for the new subnet (vlan300).

Example PAT rules:

nat (inside) 1 172.26.36.0 255.255.255.0

nat (inside) 1 10.0.3.0 255.255.255.0

global (outside) 1 interface

Example nonat / crypto ACL:

access-list nonat-crypto permit ip 172.26.36.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list nonat-crypto permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat-crypto

crypto map mymap 10 match address nonat-crypto

I hope this helps.

Thanks,

Brendan

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Review Cisco Networking products for a $25 gift card