Re: Communication between two networks... - Page 2

stemaxsin · ‎05-30-2007

I have two devices I need to connect and allow one-way communication between...a 2611 router and a PIX 501 Firewall.

On the network behind the 2611, the IP schema is this (IP/SUB/GATE) (10.20.30.x/255.255.0.0/10.20.30.1)

On the network behind the PIX, the IP schema is this (IP/SUB/GATE) (192.168.1.x/255.255.255.0/192.168.1.21)

The PIX is configured for its own internal network and is used as the primary device between its network and the outside world.

The 2611 has not yet been configured, but I'm hoping to be able to configure it to act as a security device for our network.

I have not yet performed any configuration on either of the devices that is necessary to "connect" the two networks. I need to be able to have one-way communication between one computer on the 2611 network (10.20.30.218) and one computer on the PIX network (192.168.1.1) on one specific port (8234).

Is it possible to accomplish this with simply entering the appropriate commands on both devices and if so, how?

I've had a little bit of exposure to the 26xx line, but have no experience at all with any PIX devices. Just can't seem to figure out the Device Manager on the PIX.

Can anyone help me out with the commands necessary to facilitate this configuration? It would be greatly appreciated.

Thank you.

stemaxsin · ‎05-31-2007

Actually, no.

Right now, I have the 2611 connected to our network (10.20.30.x) via the ETH0/0 port. It actually goes like this...internet to our primary router (3200) - switch - switch - the router in question (2611).

At that point, I was hoping to connect a patch cord between our ETH0/1 to one of the open ports on the PIX.

If that is doable, then I just need the appropriate configuration commands to program into each of the devices to allow the one-way traffic I described earlier.

Thanx again.

acomiskey · ‎05-31-2007

I was going by the picture you posted earlier. Just give the open port on the router a free address on your 192.168.1.0 network. Connect this port to your 192.168.1.0 network. The only problem with this is you have to route from the machine in your 192 network to the machine in your 10 network without a router. You cannot route it with the pix as it will not allow hairpinning. You will have to add a persistent route to the server itself. This setup requires no pix configuration at all.

stemaxsin · ‎05-31-2007

This sounds good.

Does it matter that the 192 network is the PIX and the 10 network is the 2611? Also, the traffic needs to flow from the 10 network to the 192 network only.

So, what commands to I need to issue to the PIX and/or the 2611 to get this working?

Thanx again.

acomiskey · ‎06-01-2007

No, the 2611 will have 1 connection to the 10 network and 1 connection to the 192 network. You can write access-lists in your router to prevent the traffic from the 192 network. There are no commands to be issued in the pix for this scenario. All the router needs is an ip address on the free interface connected to the 192 network and the acl's. Then you also have the routing problem I talked about earlier.

stemaxsin · ‎06-04-2007

So taking all this into consideration, I'm understanding I need to do this...

- run a patch cable between the eth0/1 port on the 2611 and one of the open ports on the PIX

- configure the 2611 as follows:

----- eth0/0 = 10.20.30.218

----- eth0/1 = 192.168.1.1

----- int e0/1

----- description 'remote'

----- ip access-group Outbound_ACL out

----- ip access-group Inbound_ACL in

----- ip access-list ext Outbound_ACL

----- permit ip 10.20.0.0 0.0.255.255 any reflect LAN_Traffic

- configure the PIX as follows:

----- static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

----- access-list outside_access_in permit tcp host 10.20.30.218 eq 8234

And that's it?

Thanx again.

acomiskey · ‎06-04-2007

"- run a patch cable between the eth0/1 port on the 2611 and one of the open ports on the PIX"

or a switch on the 192. network.

You should not need those commands in the pix. Remember the communication between the 192. and 10. is on the inside of pix.

Internet -- PIX -- 192.168.1.x -- 2611 -- 10.20.0.0

stemaxsin · ‎06-04-2007

Cool.

Then I only need the commands on the 2611 and I'm good to go?

So all the routing and "permissions" are handled via the 2611 and are transparent to the PIX since I'll have the one port on the 2611 configured with an "internal" PIX address?

Thanx.

acomiskey · ‎06-04-2007

As I said before, the only remaining problem is this

I assume the client on the 192. network have a default gateway that is the inside of pix, only problem is that this is not the route to the 10. network. The route to the 10. network would be the 192. address on the 2611. You need a way to route this traffic.

stemaxsin · ‎06-04-2007

So how do I go about solving that problem?

Is it as easy as creating a static route in the 2611? If not, what are my other options?

Thanx.

acomiskey · ‎06-04-2007

No, a route there will do you no good as you've got to get the traffic there in the first place.

In the current topology, I think your option is to add a persistent route on the client itself on the 192. network. In windows it would be something like this from command prompt...

route add 10.20.0.0 255.255.0.0 192.168.1.1

OR

get another router(3 port) for the connection between the 2 networks.

acomiskey · ‎06-04-2007

to make the route persistent(come back after reboot) you also need to add "-p" to the route statement above.

stemaxsin · ‎06-04-2007

So, in summary...

- No changes to the PIX

- Configure 2611 ports for both networks

- Add persistent route on workstation on 10 network

As it stands, I have 1 and 2 complete above, but am unable to ping anything outside the 10 network from the router and, unfortunately, the route add command you listed is not working on the workstation.

Thanx.

acomiskey · ‎06-04-2007

the route would go on the workstation on the 192 network, not the 10 network.

stemaxsin · ‎06-04-2007

I see.

Even though the networks are like this...

192.168.1.x / 255.255.255.0 / 192.168.1.1

10.20.30.x / 255.255.0.0 / 10.20.1.1

Will the route add work with different subnets and different gateways?

Thanx again.

acomiskey · ‎06-04-2007

Ok, so the machine in the 192. network has a default gateway that is the pix most likely right 192.168.1.21?

What you are doing with this is adding a route to the 10.20.0.0 network via the 2611 (192.168.1.1). You have to do this because 192.x.x.x does not reach 10.20.30.x via 192.168.1.21.

route add 10.20.0.0 255.255.0.0 192.168.1.1 -p