Subnetted PIX network can't talk. 1

[wholmer]

I have a class C network with a single outside CISCO 2600 router with inside interface 192.168.1.1 255.255.255.0 Not real IP.

I added a PIX 515 with the network subnetted .192 on each interface.

Outside 192.168.1.2 .255.255.255.192

Inside 192.168.1.65 .255.255.255.192

DMZ 192.168.1.129 .255.255.255.192

There are computers on each interface using the associated IP of the PIX interface as the default gateway.

Computer 1
IP 192.168.1.11
Subnet Mask 192.168.1.192
DNS 192.168.1.2
Default Gateway 192.168.1.2

Computer 2
IP 192.168.1.70
Subnet Mask 192.168.1.192
DNS 192.168.1.70
Default Gateway 192.168.1.65

Computer 3
IP 192.168.1.130
Subnet Mask 192.168.1.192
DNS 192.168.1.130
Default Gateway 192.168.1.129

I reset the PIX for no nat and set translates and access-lists for each computer to see each other. None of the computers can ping or see each other or get to the internet. I can use the PDM on the inside computer and can't ping through to the other interfaces. The defalt route is 0 0 192.168.1.2. The router, all PIX interfaces are pluged into one switch (2950), and the computers are all pluged into the another switch (2950).When I set the default gateway on the computers to 192.168.1.1 still using the mask 192.168.1.192 they can see each other and get to the internet. Why can't they talk through the PIX? Must the router be on 255.255.255.192? IF so why do the computers work with the subnet of 255.255.255.192?

 

[wholmer]

Correction, The DNS on computer 1 is .11

 

[dopehead]

First off, have you done any vlan segmentation in your switches, sounds a bit odd to me that you have all different interfaces in the pix in the same switch, maybe if you posted some of the config we could make sure ? Also, does the 2600 have an address of 192.168.1.1/255.255.255.0 ? This is a typo right "still using the mask 192.168.1.192 they can" your mask isn't 192.168.1.192 right?


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[wholmer]

Nope, no vlans. The router has 192.168.1.1/255.255.255.0 (not real IP) and the computers using 192.168.1.70 or .11 and mask 198.120.42.192 on both computers.

 

[wholmer]

By the way it is not using nat.

 

[FWHATER]

Shouldn't all of your clients have the same gateway ? Dopehead was right. Why would your clients have different GW's pointing to the individual interfaces of your FW. I thought the whole point was to sit all your clients on the inside interface and then nat to the outside, with your 2600 as the GW ? Yes ? Maybe I'm way off ?

 

[slyride]

What he said (dopehead) This is what you have as your config and it seems that the subnet mask should be 255.255.255.192
Also if your 2600 is at 192.168.1.1 255.255.255.0 and all your other addresses are at 192.168.1.x then they are all going to be able to hit the 2600 through the switched network and anytime it gets traffic it is going to try to send it right back to that machine and not through the pix. I think you will need to change the subnet mask on the 2600 to do it the way you are trying to., But that's why it works when you set the default gateway to the 2600.

Computer 1
IP 192.168.1.11
Subnet Mask 192.168.1.192
DNS 192.168.1.2
Default Gateway 192.168.1.2

Computer 2
IP 192.168.1.70
Subnet Mask 192.168.1.192
DNS 192.168.1.70
Default Gateway 192.168.1.65

Computer 3
IP 192.168.1.130
Subnet Mask 192.168.1.192
DNS 192.168.1.130
Default Gateway 192.168.1.129

 

[wholmer]

I just talked to a CISCO rep and he said ...... Not to change the outside router to .192 because then it would only send through the 1st subnet. Then I would have to add statics for the other subnets. So I should leave the router at 255.255.255.0 The config is right for permitting all computers to talk to each other, I used bi-directional lists. He thinks the issue is the switch. So I am now trying the outside interface and the router on the same switch. Then putting each computer on a separate switch. This will separate the broadcast address, he says. I will post any progress tomorrow.

 

[dopehead]

As far as i recall the pix does not proxy arp if you don't use nat, so even if you keep the /24 mask it wouldn't be able to send traffic through the firewall for the other networks, it would just send it to the local network and since you don't have any vlan segmentation it would work, but the traffic never goes through the firewall.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[wholmer]

dopehead summed it up right. The plan does not work. Now I reset the network with internal ips on the inside 172.16.5.1 and the DMZ with 192.168.2.1 and the outside is the regesterd ips. I also upgraded to ver 6.3(4)and I am nating with the outside devided into 2 pools. The inside can see the outside and can talk but they still can't get to the internet. Here is the config:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password m86ZWgB8PHyT1K4O encrypted
passwd m86ZWgB8PHyT1K4O encrypted
hostname wsmrpix
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
no fixup protocol rsh 514
no fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 198.120.42.11 nsrocdns
name 172.16.5.11 nsrocwsmr
name 140.188.8.0 nsroc
access-list outside_access_in permit ip host nsrocdns host nsrocwsmr
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 198.120.42.2 255.255.255.0
ip address inside 172.16.5.1 255.255.0.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location nsrocwsmr 255.255.255.255 inside
pdm location 172.16.5.5 255.255.255.255 inside
pdm location nsrocdns 255.255.255.255 outside
pdm location nsroc 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 198.120.42.20-198.120.42.140
global (outside) 2 198.120.42.141-198.120.42.250
nat (inside) 1 172.16.0.0 255.255.0.0 dns 0 0
nat (dmz) 2 192.168.2.0 255.255.255.0 0 0
static (inside,dmz) nsrocwsmr nsrocwsmr netmask 255.255.255.255 0 0
static (inside,outside) nsrocwsmr nsrocwsmr netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.120.42.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http nsrocwsmr 255.255.255.255 inside
http 172.16.5.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside nsrocwsmr /pix
floodguard enable
crypto ipsec transform-set myset esp-3des esp-md5-hmac
telnet 172.16.5.5 255.255.255.255 inside
telnet nsrocwsmr 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0

 

[dopehead]

First of all if you use ping to test internet, you would have to open for icmp echo-reply back to those ip's in your two global statements for that to work. Can you do name resolution, if you try ping on the cmd line does it resolve the name to an address ? have you set a correct dns server on your pc's ? is the pix your default gateway ? can you ping something on the internet from the pix itself ?


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[wholmer]

Yes forward and reverse dns is working, we can ping by name or ip. Both pcs in the inside and outside subnets are dns servers. nslookup works on both. Both are pointing to their respective PIX interfaces as the default gateways. I have not tried the PIX itself pinging out. If the PCs set the default gateway to the router they are out OK.

 

[LloydSev]

If the PCs set the default gateway to the router they are out OK.

OK... your setup looks like this right..

DMZ
/
/
/
Router <---> PIX
\
\
\
Inside

You should not be able to set the router as the default gateway and have any activity.. since it has to go through the PIX...

Computer/Network Technician
CCNA

 

[wholmer]

Thats right. We don't have any outside access when the default gateway is set to the respective PIX interfaces. PC1 on the outside interface can not get out with the default gateway set for the pix outside interface. PC2 on the inside network can not get out with the default gateway set for the pix inside interface.

 

[slyride]

Hello, I'm fairly new to this stuff, but maybe I can stir up ideas. For PC1 I'm not sure that should work since it is already "outside". For PC2 can it hit the Router?

 

[LloydSev]

outside interface???

the outside interface should be connected to the router...

Computer/Network Technician
CCNA

 

[wholmer]

LloydSev is right. It dawned on me when I drew it out that I need to put PC1 on the dmz and translate to the outside. I have them doing that now. When your not on site its hard to see the packets through the wires.

 

[LloydSev]

so is it working, or was that a mental goof on typing?

Computer/Network Technician
CCNA

 

[wholmer]

The PC1 is now on the DMZ and traslated to the outside. It can see PC2 and PC2 can see PC1. PC1 can get to the internet but PC2 can not get to the internet.

 

[wholmer]

Its working. I had to change PC2s translation to static.
Thanks for pointing me in the right direction!