PIX routing problem in a WAN environment 2

[golovast]

I've just been thrown on this project which is giving me a heck of a lot of problems. I tried some things and they don't seem to be working. I would definitely appreciate some advice. Ok, this is what I got on my hands. There is a Netopia R1300 router, which belongs to the ISP and lets the company go out to the internet. There is a PIX firewall that is behind Netopia. There is a Cisco 1720 series router that is connecting a remote office and there is an 800 series router for another office. Those networks are 192.168.3.x and 192.168.2.x. and Netopia is the default gateway for both of these routers to go to the internet. There is a mail server on a 192.168.1.x network in the main office which serves the entire company. The way its currently set up is as following: Hosts on 192.168.1.x have the mail server as their gateway (don't ask me why I didn't set it up..=]..) Mail server (Exchange 2000) has static routes to 192.168.3.x and 192.168.2.x which point to their respective routers (800 and 1720) and has PIX internal interface as its default gateway. There is going to be another router coming in at some indeterminite point in the future, but for now, I wanted to make the PIX a default gateway for 192.168.1.x network instead of the mail server. The original PIX configuration is below. What I've done to the PIX is add static routes to 192.168.3.x and 192.168.2.x using the routers for those networks as gateways and changed the default gateway on the hosts on 192.168.1.x to the PIX instead of the mail server. What happens is that the hosts can access the internet, but absolutely cannot communicate with 192.168.3.x and 192.168.2.x. They can ping the internal interface of the PIX, but can't go any further then that. Any advice?

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password KGUKztNP7ovmZ/YE encrypted
passwd RLeUqvlw83YrBqQs encrypted
hostname OtayMesa
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

(mail server addresses below)
access-list nonat permit ip host 192.168.1.54 192.168.100.0 255.255.255.0
access-list nonat permit ip host 192.168.1.5 192.168.100.0 255.255.255.0
access-list nonat permit ip host 192.168.1.55 192.168.100.0 255.255.255.0
access-list nonat permit ip any 192.168.100.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500

ip address outside 209.126.x.x 255.255.255.192
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool TIG 192.168.100.100-192.168.100.200
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 209.126.142.120-209.126.142.126
global (outside) 1 209.126.142.119
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

(mail server mapping below)

static (inside,outside) 209.126.142.66 192.168.1.54 netmask 255.255.255.255 0 0
conduit permit tcp host 209.126.142.66 eq

http://www any

conduit permit tcp host 209.126.142.66 eq smtp any
route outside 0.0.0.0 0.0.0.0 209.126.142.99 1
route inside 192.168.0.0 255.255.0.0 192.168.1.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group TIG accept dialin pptp
vpdn group TIG ppp authentication mschap
vpdn group TIG ppp encryption mppe 40
vpdn group TIG client configuration address local TIG
vpdn group TIG client configuration dns 192.168.1.54
vpdn group TIG client configuration wins 192.168.1.55
vpdn group TIG pptp echo 60
vpdn group TIG client authentication local
vpdn username xxx password 10030xxx
vpdn username xxx password 704xxx
vpdn enable outside
terminal width 80
Cryptochecksum:27e3e0ebb0f93effb3a2bdebb8a5ed70
: end

 

[ChrisAC]

So, the hosts on the 192.168.1.x network can access the internet .. right?, But, they cannot get to the 192.168.2.x or 192.168.3.x networks!! The only change you have made really is to change the default gateway on the hosts on the .1.x network to the PIX rather than the mail server!! It seems to me that the problem lies with the hosts! Commuinicating from the 192.168.1.x network to the 192.168.2.x network doesn't involve the PIX at all unless the traffic is going to the default gateway! As you have messed with the routing on the PC's on the main site by changing the default gateways to the PIX, I would guess (and this is just a wild stab in the dark!!)that you might have to re-enter the static routes on the PC's to point at the other two networks!!

Can you ping from the PIX to the other networks??

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[yizhar]

HI.

Well, you're not the only one with that problem.

The problem is that the pix does not send ICMP redirect messages to the hosts, and does not forward traffic to the interface it came from.
The reasons are that the pix isn't a router - I hope that CISCO will solve those issues in future versions but that is currently the situation.

Possible solutions:
* (Recommended): - Add static routes to the hosts that need access to the remote networks. It may or may not be neccessary to configure all hosts since workstations at the main office normally need to access only local servers and the Internet.
On NT/2000 computers you can use "route add" with the "/p" option. On 9x computers, you will need to use a BAT file with "route add" commands, and run it from a login script or some other method (this can be used for NT/2000 machines also instead of permanent static routes).

* Another option is to configure the clients with a default gateway of the W2K server or one of the internal routers, like it was before.
This is not so good because it adds unneeded dependancy , and will generate some more traffic.


About the pix config, if you have 2 internal routers (the 1720 & the 800) you should add 2 "route" commands one for each remote network, instead of this one:
route inside 192.168.0.0 255.255.0.0 192.168.1.12 1

Bye


Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[sh0x]

It's not going to work, the PIX isn't a router although it does have some routing functionality in order to function as a firewall. Don't plan on Cisco fixing this.

I'd point those clients to the router connecting one of the other offices and setup the routes accordingly. Don't use statics on the workstations, it's a management nightmare.

 

[N0ktar]

Maybe you can change a config a bit, example: leave Netopia outside, add PIX behind it, then goes your 1720 whith configured subinterfaces for each respective network 1.x, 2.x, 3.x, and static routes in the routing table.