Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix routing issues 1

Status
Not open for further replies.
western592

western592

MIS
Oct 18, 2001
18
CA
I am using a Cisco Pix 520 using software version 6

I have been unable to properly route the traffic between our internal
network to our inside network. The internal and inside traffic can go
outside fine, but I am unable to reach any servers or resources between the
internal and inside networks. I have attached the pix config with the
internet routable IP's as x.x.x.x Any input or feedback would be greatly
appreciated.

Regards,
Dave Horsey

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 internal security10
nameif ethernet3 ftpsvr security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 pix/intf5 security25
enable password RebYrQPP52x1g4ow encrypted
passwd NQoqeE/hPY7B0GSm encrypted
hostname maximus
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_in permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_ftp permit ip any any
access-list acl_ftp permit icmp any any
access-list acl_int permit icmp any any
access-list acl_int permit ip any any
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu internal 1500
mtu ftpsvr 1500
mtu pix/intf4 1500
mtu pix/intf5 1500
ip address outside x.x.11.1 255.255.255.0
ip address inside 10.1.0.1 255.255.0.0
ip address internal 192.168.0.1 255.255.255.0
ip address ftpsvr 10.2.0.1 255.255.0.0
ip address pix/intf4 127.0.0.1 255.255.255.255
ip address pix/intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address internal 0.0.0.0
failover ip address ftpsvr 0.0.0.0
failover ip address pix/intf4 0.0.0.0
failover ip address pix/intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 x.x.11.11 netmask 255.255.255.0
global (inside) 1 10.1.0.200-10.1.0.220
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (internal) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) x.x.11.15 10.1.0.15 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.31 10.1.0.31 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.32 10.1.0.32 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.16 10.1.0.52 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.17 10.1.0.51 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.18 10.1.0.50 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.19 10.1.0.10 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.20 10.1.0.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.21 10.1.0.30 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.22 10.1.0.40 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.70 10.1.0.70 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.80 10.1.0.80 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.90 10.1.0.90 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.100 10.1.0.100 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.110 10.1.0.110 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.91 10.1.0.91 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.101 10.1.0.101 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.150 10.1.0.150 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.151 10.1.0.151 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.152 10.1.0.152 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.153 10.1.0.153 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.154 10.1.0.154 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.155 10.1.0.155 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.156 10.1.0.156 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.157 10.1.0.157 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.158 10.1.0.158 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.159 10.1.0.159 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.160 10.1.0.160 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.161 10.1.0.161 netmask 255.255.255.255 0 0
static (inside,outside) x.x.11.162 10.1.0.162 netmask 255.255.255.255 0 0
static (inside,outside) x.x.223.200 10.1.0.200 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_int in interface internal
access-group acl_ftp in interface ftpsvr
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 209.47.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community leavemethehellalone
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 internal
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:91dcaf798f27ecf18112770fe2d0fbdd
: end
[OK]

 
Sort by date Sort by votes
Use conduit statements in your setup instead of the acl lists. This wil solve your problems, and activate nat 0 for your communication between the interfaces.

Suc6
 
Upvote 0 Downvote
HI!

This line will not be used:
global (inside) 1 10.1.0.200-10.1.0.220

Remeber this basic rule about the security numbers in PIX:
From high to low ==> Use NAT & GLOBAL (or NAT 0)
From high to low ==> Use STATIC and ACL.

So here are my suggestions:

=====

! Access from inside to internal:
access-list nonat permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat

! Access from internal to inside:
static (inside,internal) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
access-list aclint permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-group aclint in interface internal

=====

There is NO mistake in the static command. It's purpose is to present (I guess it means proxy arp) the "inside" IP addresses to the "internal" network.
However I have not tested it, and maybe without this command it can also work since the PIX is the default gateway of "internal". Try and See.


You will probably wish to later filter out and only allow traffic to specific hosts and services.


Please read here:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
195
xwray
xwray
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
231
Modem80
Modem80
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
249
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
399
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
187
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top