Hello All, Got a slight problem 1

[TheStressFactor]

Hello All,

Got a slight problem here...I want to be able to do two things. I want to be able to ping client workstations and pcanywhere to them from my computer in headquarters.

I cannot ping there machines and I am sure pcanywhere will not work as well.

This is how it is broken down....

192.168.3.0 is thr main site network
192.168.5.0 and 1.0 are the remote networks.

The two sites are connected to us via fram relay.

When telnetted to the router that sitsd in front of the pix I can ping any machine on the two remote sites. This would leave me to beleive the problem is on the pix.


Does anyone know what I need to apply to the pix. Config of pix posted below.

Any help, insight, information, or suggestions would be greatly appreciated. Thank you.

Patrick

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname mypix
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.
0
access-list outside permit icmp any any
access-list outside deny tcp any eq finger any
access-list outside permit tcp any host x.x.x.67 eq smtp
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.67 smtp 192.168.3.2 smtp netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup marino address-pool ippool
vpngroup marino dns-server 192.168.3.7
vpngroup marino wins-server 192.168.3.7
vpngroup marino default-domain marinoware.com
vpngroup marino split-tunnel split
vpngroup marino idle-time 2000
vpngroup marino password *************

 

[TheStressFactor]

Additonal tidbit....if I change my default gateway to the internal ip of the router I can ping the remote sites fine...when i change it back to that of the pix it does not work

When telnetted into the pix I can also ping all remote clients...its just the workstations cannot ping clients

any help or insight would be greatly apprecitated.

 

[baddos]

It looks to me like your 192.168.5.0 & 192.168.1.0 subnets are routed to a 192.168.3.6 router. If your computer in your 192.168.3.0 subnet is using the pix as the default gateway, this won't work. Set your computers to use 192.168.3.6 as the default gateway and on that router put the 0.0.0.0 route to go to 192.168.3.1.

The problem is that the pix won't do routing! I hate this fact about the pix very much. It will only route leaving an interface and not going back in (not enough to be considered a router).

Let me know if this solves your problem.

 

[TheStressFactor]

Hmmm..that seemed to slight work but when i added ip route 0.0.0.0 0.0.0.0 192.168.3.1 to the router the internet connection was barely moving...is this what you wanted me to do? I also did change the default gateway to 192.168.3.6...but like I said it was moving very slowly,...

 

[baddos]

do a show ip route on the 3.6 router.

 

[TheStressFactor]

157.130.0.0/30 is subnetted, 1 subnets
C 157.130.255.32 is directly connected, Serial0/0.1
C 192.168.4.0/24 is directly connected, Serial3/0.100
R 192.168.5.0/24 [120/1] via 192.168.4.2, 00:00:26, Serial3/0.100
R 192.168.0.0/24 [120/1] via 192.168.1.2, 00:00:19, Serial3/0.102
63.0.0.0/28 is subnetted, 1 subnets
C 63.102.156.64 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Serial3/0.102
C 192.168.3.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 is directly connected, Serial0/0.1

 

[baddos]

You'll need to do a "no ip route 0.0.0.0 0.0.0.0 serial0/0.1" on that router, and then do a "ip route 0.0.0.0 0.0.0.0 192.168.3.1".

That should work.

 

[TheStressFactor]

you da man...ill do it after hours tonight...thanks buddy

 

[yizhar]

HI.

You're not the first to face this issue.
One part of the problem is that even when the pix knows the correct route, it will not send an ICMP REDIRECT message to the workstation.

You can keep using the pix as default gateway, and add static routes to your workstations that point to the remote networks.

You can use a batch file similar to this:
route add 192.168.5.0 mask 255.255.255.0 192.168.3.6

, and run it on your administrative workstation only or for all workstations using login script if needed.
For servers, you can use the same trick, or static routes saved on the server, or reconfigure routers and servers to use RIP protocol.

Taks a look here:
thread35-149781

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[baddos]

Your opening up a can of worms if you add static routes on every computer in the network. That would just lead to potential problems down the road. If you are worried about reliability of that router, you can add another router and use HSRP. You could also upgrade your switch to be layer3, and do the routing.

The PIX's routing is very limited, but definatelty use a router for the routing.

 

[TheStressFactor]

Thanks you both..Yiz I added the routes on my workstation and it worked..this was a good idea because I am the only one who needs to ping and pc anywhere to these sites...for long term purposes I will try baddos suggestion listed above tonight and let you know how it goes..thanks all.

 

[TheStressFactor]

baddos...i did what you suggested..elimiated the route and added the new one..changed the default gateway of client to 3.6. I could not get out on the internet though...any suggestions. Thank you.

Patrick

 

[baddos]

Do a show ip route on the 3.6 router. Make sure that it still points to the 3.1 (PIX) ip address.

 

[TheStressFactor]

baddos it does dhow that 0.0.0.0 0.0.0.0 192.168.3.1

after that I can no longer access the internet from even the central office....which was always working

 

[baddos]

Try to do a traceroute on the computers having the problem.

For windows computers try doing a "tracert

http://www.tek-tips.com".

This will show you where the computer is trying to go when it goes out the Internet.

 

[havanajoe]

If I am put my 2 cents in. From what I can read your setup is this....

Internet
|
ISP Router
|
PIX FIREWALL
|
Internal Router (Main Office)
| |
Remote Remote
Office Office
Router Router
| |
Clients Clients


Assuming that this is the way that you are setup, then all of the remote clients should have the internal IP address of the remote router as their default gateway, the main office users should in turn have the internal IP of the main router as their def. gate., the 0.0.0.0 0.0.0.0 route on the main router should point to the internal IP of the PIX, the route on the PIX should be 0.0.0.0 0.0.0.0 to the NIC on the internal side of the ISP's router.

I hope that this helps.

Dave