PIX 501 setup problem

[countrypaul]

We've spent several hours at this and cannot believe it is that difficult - but hink we are overlooking something simple therefore any help would be appreciated.

We have an internal LAN on which the ip address range is 192.168.1.x - this accesses he internet through a PIX 515E with no problems.

We want to setup a separate LAN connected to the main LAN with a PIX 501. The 501 should have external address 192.168.1.252 and the internal range 10.0.0.x

Using the config below we cannot see anything on the main lan from the 10.0.0.x address, nor anything on the internet.

TIA

Paul

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxx encrypted
hostname xxxx
domain-name xxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit tcp any eq echo any
access-list outside_access_in permit tcp any eq echo any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.252 255.255.255.240
ip address inside 10.0.0.241 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 192.168.1.0 255.255.255.0 192.168.1.252 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.242-10.0.0.254 inside
dhcpd dns 192.168.1.10 192.168.1.13
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxx
dhcpd enable inside
terminal width 80
Cryptochecksum:c1810fd700277791a0cb1412971075fc
: end
[OK]

 

[LloydSev]

You can't route traffic back on the same interface... so your two networks will not be able to communicate..

however, you should still be able to get to the internet...

Add a route inside 10.0.0.0 255.255.255.0 192.168.1.252 0 0

That should allow the PIX 515E to be able to send date to the new network..

Cisco PIX OS 7.0 (when it comes out) will fix the problem you are having.

The best workaround for this would be the set the PIX's up in parallel at the router.

Computer/Network Technician
CCNA

 

[countrypaul]

Either I haven't explained myself properly, or you've misunderstood what I meant. Eitherway may a diagram will help

Internet --> PIX515 --> Pix 501 --> PC

We know this works because I had it working last week, then I made some changes (and like a fool forgot to take a backup first).

We should not be routing traffic back on the same interface it went out on.

Paul

 

[LloydSev]

OK.. it's possible that your access-lists are blocking you from accessing anything as well..

One thing to remember about access-lists is that there is an "implicit deny all" at the end, meaning that you are allowing "echos" to occur, but then denying EVERYTHING else afterwards in each direction.

Computer/Network Technician
CCNA

 

[themut]

PIX 501:
no route outside 192.168.1.0 255.255.255.0 192.168.1.252
no access-list inside_access_in permit tcp any eq echo any
no access-list outside_access_in permit tcp any eq echo any

You are blocking EVERYTHING except TCP traffic on port echo.

If you remove these ACLs then you should have Internet access from the 10 network but you will not access the 192 network unless you have a router on the 192 network to act as a default gateway for the 192 hosts. As LloydSev explained the PIX is not able to route packets back on the same interface they arrived.

 

[countrypaul]

Thanks LloydSev and themut - adding the access lists backin did resolve the complete lack of access. I thought it would be something simple - and entirely overlooked the fact they were missing.

Can you explain why a router would be needed on the 192 network? If a machine on the 10 network tries to contact say 192.168.1.10 for arguments sake, surely this will be routed by the PIX 501 from the 10 network directly to the 192.168.1.10 machine ? Does the 192.168.1.10 machine not then reply using the PIX 501 as the gateway back to the source machine on the 10 network ? (or does it use its default gateway - PIX 515E?)

Thanks

Paul

 

[lgarner]

That's correct, but possibly not why you think. With the NAT setup as you have it, every connection to a 192.168 address from the inside will appear as 192.168.1.252. Since that's on the local LAN for those devices, no router is needed.