Pix Firewall outside 2 inside problem

[Raul102801]

Here is my setup. I need to allow traffic from vpn router segment 10.50.2.0 to the inside netwoks

Internet---(a.a.a.a)VPN Router(b.b.b.b)---(c.c.c.c)Pix(d.d.d.d)---(e.e.e.e)core router(d.d.d.d)

The VPN router created the segment ab.ab.ab.ab and has a route sending all the traffic for d.d.d.d to c.c.c.c from the vpn router I can ping the outside interface of the pix and viceversa but vpn clients still can't get to d.d.d.d The pix has no access lists. Do I need to apply an access list like access-list 100 permit ip ab.ab.ab.0 255.255.255.0 d.d.d.0 255.255.255.0 ? or is there another solution for this? Here is the config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 100.250.10.178 255.255.255.240
ip address inside 192.168.11.4 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2

arp timeout 14400
global (outside) 1 100.250.10.179
nat (inside) 1 128.1.20.0 255.255.255.0 0 0
nat (inside) 1 192.168.11.5 255.255.255.255 0 0
static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
access-group ping_acl in interface outside
route outside 0.0.0.0 0.0.0.0 100.250.10.177 1
route inside 10.0.0.0 255.0.0.0 192.168.11.1 1
route inside 128.1.20.0 255.255.255.0 192.168.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
console timeout 0
terminal width 80
Cryptochecksum:xxxxxx
: end
The outside router gives VPN clients the following range 10.50.2.0 and I want to allow that range access to the inside networks. It also has a default route sending all traffic to the outside interface of the pix. The ACL I created was just for testing but didn't work
Here are the changes made:
Removed:
access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
Changed the static route of 10.0.0.0 to individual class C networks and letf the 10.50.2.0 to be routed under the default route.

Added:
access-list 100 permit ip 10.50.2.0 255.255.255.0 192.168.11.0 255.255.255.0
access-group 100 in interface outside
nat (inside) 0 access-list 100

When I connect to vpn I get the following IP 10.50.2.87, I try to ping 192.168.11.1 and get a reply from the outside interface on the pix saying host unreachable.



any ideas?

 

[Supergrrover]

There's a lot of natting going on that makes this a bit tough to troubleshoot. The best idea would be to terminate the VPN on the pix interface instead of the router.

If that can't be done, try changing the access lists
access-list 100 permit ip 10.50.2.0 255.255.255.0 any

lastly add
nat (outside) 0 access-list 100



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Raul102801]

Here is what I get after applying the recommended statements (see warning message):


pix(config)# access-list 100 permit ip 10.50.2.0 255.255.255.0 any
pix(config)# access-group 100 in interface outside
pix(config)# nat (outside) 0 access-list 100
WARNING: Specified interface is lowest security interface. This statement
WARNING: is not applicable to any traffic.

 

[Raul102801]

Would this be easier if I remove all the natting and the global (outside ) statements. The natting is to control access to the internet but is being changed to another device so I can remove all those statements.
Any ideas?

 

[Supergrrover]

Sorry, I was totally on the wrong path. Wrote too quickly.
What would your new config (hardware setup) look like?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Raul102801]

the hardware setup is:


Internet--Internet filtering---VPN Router--- PIX----Router

I got the ok to remove internet filtering from the PIX so I can remove the gloval statement and the nat statements.
When I added the config you gave me I got a warning which you can see on a reply above.

 

[Supergrrover]

For this, I would have the VPN tunnels terminate on the pix unless there are network resources they need between the pix and the VPN router.

What other functions is the VPN router performing that the pix cannot? (Just wondering why it is there.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Raul102801]

The VPN is outsourced and the ISP manages that router and VPN. That is the reason it is located where it is.

 

[Supergrrover]

That makes things complicated. I am not sure if this will work. Hopefully someone else may have more experience with this kind of setup will jump in. I'm at a loss.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Raul102801]

OK... quick question, I know you can allow traffic from the outside to a single address with a static statemet like the following:
Static (outside, inside) 208.144.217.2 192.168.111.1 netmask 255.255.255.255
Can this be done for a range of addresses?
Static (outside, inside) 208.144.217.2 192.168.111.0

Just a thought.
I have tried this without success but I understand that by natting addresses to access internet and having a global statement it could complicate things, so I am thinking about removing those and trying it that way.

Any thoughts or comments?