Help with outside, inside route

[quickconnect]

I am using a PIX 501 to seperater some contractors from out network and only give them access to certain resourses.

Currently the outside interface is plugged into our corporate network with a static address and the inside interface us where the contractors plug into. On the inside interface I am doing DHCP with a 192.168.1.x network

What im trying to accomplish here is that I have a switch plugged in the inside interface with a static assigned address of 1.67.11.4

I cant seen to access that switch from our corporate network or even ping it. I get a No route to 1.67.11.4(switch) from 1.226.2.25 (device trying to talk to the switch)

Here is my config ....

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .SKH9yyfu5Hmgf1Z encrypted
passwd .SKH9yyfu5Hmgf1Z encrypted
hostname XXXXXXX
domain-name XXX.corp.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 1..x.x.xNTP1
name 1.x.x.x XXXXXXSubnet
name 1.x.x.x XXXXXX_Syslog
name 1.x.x.x XXXXXXX_Net1
name 1.x.x.x Proxy1
name 1.x.x.x Proxy2
name 1.x.x.x. DNS_Server
name 1.x.x.x. DNS_Server2
name 1.x.x.x.x mbelvpn
name 64.x.x.x.x xxxxxxx_Network
name 212.x.x.x. xxxxxxVPN
name 65.x.x.x.x xxxx_VPN
name 1.x.x.x. xxxview1
name 1.226.x.x xxxx_server
name 1.x.x.x CMPSWTB4
object-group service Custom_UDP udp
description Custom ports for outbound traffic for Cisco VPN Client
port-object eq isakmp
port-object range 4500 4500
object-group network xxxx_Servers
description Allows for the round robin to work between proxy
network-object Proxy1 255.255.255.255
network-object Proxy2 255.255.255.255
object-group service TCP_Services tcp
port-object eq 8080
port-object eq www
port-object eq https
object-group network DNS_Servers
network-object DNS_Server 255.255.255.255
network-object DNS_Server2 255.255.255.255
object-group service Allowed_UDP_Services udp
port-object eq domain
object-group network Contract_VPN_Group
network-object xxxxxAtlanta_Network 255.255.255.255
network-object xxxxvpn 255.255.255.255
network-object xxxxxVPN 255.255.255.255
network-object xxxxx_VPN 255.255.255.255
object-group network xxxxxview_Servers
network-object xxxxview1 255.255.255.255
network-object xxxxview2 255.255.255.255
object-group service Switch_Manage_Ports tcp-udp
port-object range 161 161
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit udp any object-group DNS_Servers object-group Allowed_UDP_Services
access-list inside_access_in permit ip any object-group Contract_VPN_Group
access-list inside_access_in permit tcp any object-group Proxy_Servers object-group TCP_Services
access-list inside_access_in deny ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Allows OpenView to talk to the switch
access-list outside_access_in permit udp object-group Openview_Servers host CMPSWTB4
access-list outside_access_in permit ip object-group Openview_Servers host CMPSWTB4
access-list outside_access_in deny ip any any
access-list outside_access_in remark Allows the Pix to send syslog messages to t
access-list outside_access_in remark Allows the Pix to send syslog messages to t
access-list outside_access_in remark Allows the Pix to send syslog messages to t
pager lines 24
logging on
logging timestamp
logging buffered informational
logging trap informational
logging facility 0
logging device-id hostname
logging host outside xxxxx_Syslog
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location xxxxxSubnet 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location xxxxx_Net1 255.0.0.0 inside
pdm location xxxxxxxSubnet 255.255.255.0 outside
pdm location Proxy1 255.255.255.255 outside
pdm location 1.100.0.0 255.255.0.0 outside
pdm location xxxxx_Syslog 255.255.255.255 outside
pdm location Proxy2 255.255.255.255 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location DNS_Server 255.255.255.255 outside
pdm location DNS_Server2 255.255.255.255 outside
pdm location 1.100.x.x 255.255.255.255 outside
pdm location xxxxxx_Network 255.255.255.255 outside
pdm location xxxxxvpn 255.255.255.255 outside
pdm location xxxxxVPN 255.255.255.255 outside
pdm location xxxx_VPN 255.255.255.255 outside
pdm location Openview1 255.255.255.255 outside
pdm location Openview2 255.255.255.255 outside
pdm location CMPSWTB4 255.255.255.255 inside
pdm group Proxy_Servers outside
pdm group DNS_Servers outside
pdm group Contract_VPN_Group outside
pdm group xxxxxxview_Servers outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) CMPSWTB4 CMPSWTB4 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside xxxxxview1 255.255.255.255 CMPSWTB4 1
route outside Openview2 255.255.255.255 CMPSWTB4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
ntp server NTP1 source outside prefer
ntp server xxxxxview1 source inside
http server enable
http ConsumersSubnet 255.255.255.0 outside
snmp-server host outside 1.100.31.30
snmp-server location xxxx xxxxx
snmp-server contact xxxx xxx
snmp-server community xxxxxxxx
no snmp-server enable traps
tftp-server inside xxxxx_Syslog xxxxxx01_config
floodguard enable
telnet timeout 5
ssh xxxxxxSubnet 255.255.255.0 outside
ssh timeout 10
management-access outside
console timeout 0
dhcpd address 192.168.1.50-192.168.1.80 inside
dhcpd dns DNS_Server2 DNS_Server
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.xxxxx.com
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx/hzCS encrypted privilege 15
terminal width 80
banner login **********************************************************
banner login This system is to be used only by specifically authorized
banner login personnel. Any unauthorized use of the system is unlawful,
banner login and may be subject to civil and/or criminal penalties. Any
banner login use of this system may be logged or monitored without
banner login further notice, and that the resulting logs may be used as
banner login evidence in court.
banner login **********************************************************
Cryptochecksum:xxxxxx439701554cee3dd55e1243ef
: end


Any help is appreciated ASAP

 

[lgarner]

Is this a layer-3 switch (router)? You seem to be routing via it, but on the outside. Where's network 1.x.x.x as noted in all the "name" statements? The Inside Ip address is 192.168.x, but there are no "route inside" statements to get to 1.x.x.x via some 192.168.x.x address.

 

[quickconnect]

lgarner,

The 1.x.x.x is our local (corporate) ip address where the outside interface of the PIX is plugged into. The 192.168.x.x is the nat address on the inside interface of the pix. The switch I need to access is plugged into the inside (192.16.x.x.)interface of the switch with a basic config basically going to be used so that I can plug more the 4 users into it. I want to be able to manage the switch located on the inside interface but dont thing I have my nat or routes correctly???

 

[lgarner]

Then the switch needs an IP address in the 192.168.x.x range, let's say 192.168.1.2. The static statement would look like:

static (inside,outside) 192.168.1.2 1.x.x.x netmask 255.255.255.255

where "1.x.x.x" is some unused address on your corporate network, not the Pix's public interface. If you use the address that you've already named as "CMPSWTB4" (I assume that's the switch), then your ACL is already set up.

Alternatively, you can use identity nat to access the switch, and other systems, by their real addresses. This effectively makes the Pix a router, while adding the security measures. For that, your static would look like this:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

In this case, your outside_in ACLs would use the 192.168 addresses, and your corporate systems would need to have a route set to the 192.168 network via the Pix. Something like:

ip route 192.168.1.0 255.255.255.0 <pix_public_address>

 

[quickconnect]

So your saying that if I assign give my switch a static IP Address of 192.168.1.2 which sits on the inside interface(192.16.1.x) which is know by the TRUE known IP address of of 1.67.11.4 on the Outside interface(plugged into our network) this will work by using
static (inside,outside) 192.168.1.2 1.67.11.4 netmask 255.255.255.255

Do I also need an outside,inside statment?