We had an isolated network (10.1.x.x-10.5.x.x) in a remote location for a period of time. Over the last year we installed a T-1 that provides us (our main office (192.168.x.x)) connectivity to that isolated site. The setup was configured as follows:
main office router which contains multiple interfaces(e0-192.168.68.x & s0-10.7.1.x) connects directly to the isloted office router which contains multiple interfaces (s0-10.7.1.x, e0-10.2.1.x & 10.3.1.x).
This setup was put in place to gain access to specific servers on the 10.3.x.x & 10.2.x.x networks. We may also gain access to a couple other device interfaces on the 10.2 and 10.3 networks. However there are other devices that I would like to gain access to within the isolated network. These devices lye on the 10.1.x.x, 10.4.x.x, 10.5.x.x and 10.6.x.x networks. I have not been able to find a way to hit the 1,4,5 & 6 networks from my 192.168.x.x network.
Do I need to add additional interfaces to my isolated router to achive this? If so what is the best way to go about this? Does it require additional HW or is there a way to create virtual interfaces on the router. How would this work when utilizing VLANS?
All help/suggestions are appreciated.
The expensive solution is to add interfaces on the router. A cheaper method is to use secondary addresses on the router's ethernet interface (eg ip add 10.4.1.1 255.255.255.0 sec) using use whatever routing protocol (eg eigrp or static) you use to advertise those routes.. But how do the 10.4.x.x and 10.5.x.x and 10.6.x.x networks currently communicate with each other? If it's via another router, point your static routes to that router (if using static routes).
Hope it helps
the other networks are centralized through the PIX, which has multiple interfaces for each mentioned subnet. The access lists on the PIX dictate the type of connectivity between each subnet.
I thought of adding secondary addresses on the existing interfaces of the isolated location's router but how will this work since the existing interfaces (10.2 & 10.3) are plugged into their respective VLANS (2 & 3). I also do not want to compromise the security thats in place now either. For security purposes there is a reason as to why the networks do not crossover. inter-comminications between the VLANs is not a concern. Only to be able to access each one from our central location (192.168.x.x) is our goal.
I have been able to backdoor into the other devices in which I cannot access directly from 192.168.x.x by establishing aTelnet session into the 10.2 interface of my PIX which in turn grants me access to the devices on the other subnets. However this is not real practical when attempting to monitor those devices as well as baking up their configs.
If there is a way to accomplish our goal without comprimising the security currently in place this is the way we would like to go. One note: If the adding additional interfaces on the router is the way to go we will be limited with the router (1600) thats serving as our gateway to the 10.2 & 3 subnets. I think it is maxed out.
Your network is:
(192.168.x.x)central route(10.1.x.x)---(10.1.x.x)remote router(10.2.x.x)----switch---(10.2.x.x)pix-10.4.x.x and others on different interfaces
Sorry, why don't you just use static routes pointing to the PIX and have the PIX have a static route back. Then modify the acls on each PIX interface to allow the access you require (eg permit tcp host 192.168.x.x host 10.4.x.x eq y).
currently I am not using ACLs on the PIX. I am using static and conduit entries.
I have tried to add to them in an attempt to get it to work but have been unsuccessful. I know that creating and applying an access-list might do the trick but I have had issues in the past moving from static/conduit commands to access-lists. I have read that you must complety replace the static/conduit commands first to allow the access-list to take effect.
What static/conduit commands are required.
Below are the static routes.
route outside 0.0.0.0 0.0.0.0 10.1.1.4 1
route backend 192.168.x.x 255.255.0.0 10.2.x.x 1
Your statics won't change if you move to acls. But you are correct, don't mix acls and conduits. But it is possible to convert conduits to acls, takes planning, but it is recommended.
static (inside,outside) 22.214.171.124 192.168.1.5 netmask 255.255.255.255
conduit permit tcp host 126.96.36.199 eq www any
access-list acl_out permit tcp any host 188.8.131.52 eq www
then apply to an interface.
Your backend has a higher security than your outside, so you don't need any statics or acls to allow you to access them. For outside to access the backend, create a static of "static (backend,outside) 192.168.x.x 192.168.x.x netmask 255.255.255.0" and an acl of " access-list 101 permit tcp 10.1.1.x 255.255.255.0 192.168.x.x 255.255.255.0 eq 80". Then apply the acl to the outside.
Here is a link for pix commands based on your PIX version, then look up conduits and acls, it will help you migrate: http://www.cisco.com/warp/public/110/pix_command_ref.shtml .
Hope it helps.
I've added the following:
static (backend,outside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-group 101 in interface outside
I still was not able to access the 10.1.1.x network from 192.168.x.x and vice versa. I actually lost all connectivity to my machines residing in my isolated network after applying the access-list to the outside interface. I am assuming this happened because I have yet to convert my conduits to ACLs.
when I run a tracert from one of my machines on the 192.168.x.x network to a device on 10.1.1.x it dies at the 10.7.1.x interface of my remote T-1 router. When I run it from a 10.1.1.x device (through a backdoor telnet session) it cannot make it to hop #1. There is a static route to the 192.168.x.x network on the remote device:
ip route 192.168.0.0 255.255.255.0 10.1.1.1
I know that I must eventually convert the conduits to ACLs but I do not think this is why I was unsuccessful in accessing the network. The access-list seems to have actually gone into effect as I was locked out after applying it.
Static will allow the lower security to access the higher security intreface. For higher security to access lower, your need a nat statement (and global if using nat, ie no nat 0). Do you have a NAT command for this? If yes, please post your config (all of it would help, minus passwords/public IPs), or email it to me and we can go over it off-line.
Let me know.