01-07-2006 05:05 AM - edited 03-09-2019 01:33 PM
My setup follows:
Pix--dmz servers with gateway as pix--- DMZ router ----- remote router ---- remote LAN
When I try to reach remote LAN from dmz servers I am not able to reach.
My servers have pix as gateway.
Pix has route for remote LAN. (From pix I dont have any problem in reaching remote LAN)
When I add specific route to remote LAN pointing to local router then I dont have problem in reaching the remote LAN.
My problem is why from server with pix as gateway not able to reach remote LAN.
Solved! Go to Solution.
01-07-2006 04:32 PM
the issue is related to the pix v6.x golden rule.
the golden rule basically doesn't allow pix to redirect packet in and out the same interface. e.g. dmz server try to send a packet to the remote lan. at the moment, dmz server has a default gateway to the pix dmz interface, dmz server will forward the packet to the pix dmz interface to start with. pix receives the packet originated from the dmz server and destined for the remote lan. now, pix determines the next hop for this particular packet is the dmz router, which is via the dmz interface again. as mentioned, the golden rule doesn't allow such operation as the packet is received on the pix dmz interface.
the workaround, as martin mentioned earlier, is to modify the default gateway on the dmz server. the default gateway should be the dmz router, then configure static routes on the router.
now, there are two choices in terms of configuring routes on the router.
one: configure the pix dmz interface as the dmz router default gateway, and configure static route for the remote lan; or
two: configure the remote router as the dmz router default gateway, and configure static route for pix inside net.
personally, i prefer the first options as dmz server may need internet access via the pix as well.
let again look at the traffic flow with dmz server having dmz router as the default gateway; dmz router having pix dmz interface as the default gateway, and static routes for the remote lan.
packet originated from dmz server that destined for the remote lan will be forwarded to the dmz router. dmz router will then forward to packet to the remote router based on the static routes; alternatively, packet originated from dmz server that destined for the internet or the pix inside subnet will be forwarded to the dmz router. the dmz router will then forward the packet to the pix dmz interface based on the default gateway settings.
01-07-2006 08:25 AM
Hello,
from your drawing I would suggest it makes more sense to have your DMZ router as default gateway on your DMZ servers. Otherwise the PIX has to redirect the traffic to the DMZ router and this might or might not work depending on your configuration.
Hope this helps
Martin
P.S.: please post your configs (DMZ router and PIX) in order to get a more specific answer.
Please rate all helpful posts
01-07-2006 10:33 AM
Hello,
Thank you! For reply
Find the PIX configuration below.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
interface ethernet1 vlan4 logical
interface ethernet1 vlan5 logical
interface ethernet1 vlan6 logical
interface ethernet1 vlan7 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 server security8
access-list sertoin remark temporary access to all
access-list sertoin permit ip any any
ip address outside x.x.156.130 255.255.255.192
ip address inside 172.20.177.1 255.255.255.0
ip address server 192.168.255.193 255.255.255.192
access-group sertoin in interface server
route outside 0.0.0.0 0.0.0.0 x.x.156.129 1
route server 172.20.183.0 255.255.255.0 192.168.255.195 1
route outside x.x.208.192 255.255.255.224 x.x.156.129 1
My remote LAN network is 172.20.183.0 and dmz router ip is 192.168.255.195.
DMZ router can't be default gateway for servers. Only to reach 172.20.183.0 network I need route via dmz router.
One more thing I haven't mentioned earlier is I do all this with logical interface (vlans). I suspect that could be the problem (may be bug).
I am able to reach 172.20.183.0 from pix with out any problem. So there shouldn't be any problem with DMZ router configuration.
01-07-2006 04:32 PM
the issue is related to the pix v6.x golden rule.
the golden rule basically doesn't allow pix to redirect packet in and out the same interface. e.g. dmz server try to send a packet to the remote lan. at the moment, dmz server has a default gateway to the pix dmz interface, dmz server will forward the packet to the pix dmz interface to start with. pix receives the packet originated from the dmz server and destined for the remote lan. now, pix determines the next hop for this particular packet is the dmz router, which is via the dmz interface again. as mentioned, the golden rule doesn't allow such operation as the packet is received on the pix dmz interface.
the workaround, as martin mentioned earlier, is to modify the default gateway on the dmz server. the default gateway should be the dmz router, then configure static routes on the router.
now, there are two choices in terms of configuring routes on the router.
one: configure the pix dmz interface as the dmz router default gateway, and configure static route for the remote lan; or
two: configure the remote router as the dmz router default gateway, and configure static route for pix inside net.
personally, i prefer the first options as dmz server may need internet access via the pix as well.
let again look at the traffic flow with dmz server having dmz router as the default gateway; dmz router having pix dmz interface as the default gateway, and static routes for the remote lan.
packet originated from dmz server that destined for the remote lan will be forwarded to the dmz router. dmz router will then forward to packet to the remote router based on the static routes; alternatively, packet originated from dmz server that destined for the internet or the pix inside subnet will be forwarded to the dmz router. the dmz router will then forward the packet to the pix dmz interface based on the default gateway settings.
01-08-2006 03:01 AM
Hello,
in your last post you write the DMZ router could not be default gateway for the servers. But according to the config you gave this is technically possible. And I think JackKo made it clear why it would be the best solution in your case.
There is afaik no additional security threat arising from setting the DMZ router as default gateway for your servers instead of the PIX, if this was your concern.
So reconfigure your servers and everything should be fine.
Hope this helps
Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: