- Posts: 17
- Thank you received: 0
Intervlan routing on a PIX 525 security context
14 years 10 months ago #33299
by ccnx
Intervlan routing on a PIX 525 security context was created by ccnx
Hi everyone,
I have been having some problems with configuring a security context on PIX 525 to do intervlan routing.
The topology of my test lab is simple. I have a PIX 525 firewall security context enabled and assigned with 2 interfaces with security level set to 1. IP addressing details for those interfaces can be found from below.
On the other hand, i have another 2 x 1700 routers configured and each router connected to the PIX 525. for testing purpose, i added a loopback interface on both routers with different subnet and my intention is to allow both router to reach its neighbour's subet through a PIX firewall. In another word, PIX needs to be configured as a transition path so why we come to the topic of "Intervlan routing".
loopbackA-->Router 1 ---uplink1--> PIX <-- uplink 2 -- Router 2 <--loopbackB
Uplink 1: 10.1.1.0 /30
Uplink 2: 20.1.1.0 /30
Loopback A: 192.168.1.0/24
Loopback B: 172.16.1.0/24
configs:
###########
PIX Context
###########
PIX Version 8.0(4) <context>
!
hostname CORE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif DATA
security-level 1
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet1
nameif MANAGEMENT
security-level 1
ip address 20.1.1.1 255.255.255.252
!
access-list DATA_access_in extended permit ip any any log
access-list DATA_access_in extended permit icmp any any log
access-list MANAGEMENT_access_in extended permit ip any any log
access-list MANAGEMENT_access_in extended permit icmp any any log
pager lines 24
mtu DATA 1500
mtu MANAGEMENT 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DATA
icmp permit any MANAGEMENT
no asdm history enable
arp timeout 14400
access-group DATA_access_in in interface DATA
access-group MANAGEMENT_access_in in interface MANAGEMENT
route DATA 192.168.1.0 255.255.255.0 10.1.1.2 1
route MANAGEMENT 172.16.1.0 255.255.255.0 20.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
Cryptochecksum:d447c7ce52cb50368230aae8245431e7
: end
########
Router 1
########
inter fa0
ip add 10.1.1.2 255.255.255.252
no shut
inter loopback 1
ip add 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end
#########
Router 2
#########
inter fa0
ip add 20.1.1.2 255.255.255.252
no shut
inter loopback 1
ip add 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end
**
After I finished configuring everything as above, i did ping test and the result is as below
Router 1 -> 10.1.1.1 -> ok
Router 2 -> 20.1.1.1 -> ok
Router 1 - > Router2's loopback -> fail
Router 2 -> Router1's loopback -> fail
PIX - > Router1's loopback -> ok
PIX - > Router2's loopback -> ok
**As you may see from above PIX config that I have both static routes added with each pointing to different subnets and both router should be able to reach each other. However, it failed and could any1 with exp please help?
Thanks :roll:
CCNX
[/img]
I have been having some problems with configuring a security context on PIX 525 to do intervlan routing.
The topology of my test lab is simple. I have a PIX 525 firewall security context enabled and assigned with 2 interfaces with security level set to 1. IP addressing details for those interfaces can be found from below.
On the other hand, i have another 2 x 1700 routers configured and each router connected to the PIX 525. for testing purpose, i added a loopback interface on both routers with different subnet and my intention is to allow both router to reach its neighbour's subet through a PIX firewall. In another word, PIX needs to be configured as a transition path so why we come to the topic of "Intervlan routing".
loopbackA-->Router 1 ---uplink1--> PIX <-- uplink 2 -- Router 2 <--loopbackB
Uplink 1: 10.1.1.0 /30
Uplink 2: 20.1.1.0 /30
Loopback A: 192.168.1.0/24
Loopback B: 172.16.1.0/24
configs:
###########
PIX Context
###########
PIX Version 8.0(4) <context>
!
hostname CORE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif DATA
security-level 1
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet1
nameif MANAGEMENT
security-level 1
ip address 20.1.1.1 255.255.255.252
!
access-list DATA_access_in extended permit ip any any log
access-list DATA_access_in extended permit icmp any any log
access-list MANAGEMENT_access_in extended permit ip any any log
access-list MANAGEMENT_access_in extended permit icmp any any log
pager lines 24
mtu DATA 1500
mtu MANAGEMENT 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DATA
icmp permit any MANAGEMENT
no asdm history enable
arp timeout 14400
access-group DATA_access_in in interface DATA
access-group MANAGEMENT_access_in in interface MANAGEMENT
route DATA 192.168.1.0 255.255.255.0 10.1.1.2 1
route MANAGEMENT 172.16.1.0 255.255.255.0 20.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
Cryptochecksum:d447c7ce52cb50368230aae8245431e7
: end
########
Router 1
########
inter fa0
ip add 10.1.1.2 255.255.255.252
no shut
inter loopback 1
ip add 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end
#########
Router 2
#########
inter fa0
ip add 20.1.1.2 255.255.255.252
no shut
inter loopback 1
ip add 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end
**
After I finished configuring everything as above, i did ping test and the result is as below
Router 1 -> 10.1.1.1 -> ok
Router 2 -> 20.1.1.1 -> ok
Router 1 - > Router2's loopback -> fail
Router 2 -> Router1's loopback -> fail
PIX - > Router1's loopback -> ok
PIX - > Router2's loopback -> ok
**As you may see from above PIX config that I have both static routes added with each pointing to different subnets and both router should be able to reach each other. However, it failed and could any1 with exp please help?
Thanks :roll:
CCNX
[/img]
14 years 9 months ago #33333
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Intervlan routing on a PIX 525 security context
I had a peek at it. Everything seams OK except for two things:
1. In Router2 config the line:
[code:1]ip route 0.0.0.0 0.0.0.0 10.1.1.1 [/code:1]
Should be changed to:
[code:1]ip route 0.0.0.0 0.0.0.0 20.1.1.1 [/code:1]
2. Same security level interfaces in the Pix can NOT talk to each other by default. Since your having version 8, try the following command:
[code:1]same-security-traffic permit inter-interface[/code:1]
Another way is to assign the DATA and MANAGEMENT different security levels, but then you would need to configure NAT and/or static statements.
1. In Router2 config the line:
[code:1]ip route 0.0.0.0 0.0.0.0 10.1.1.1 [/code:1]
Should be changed to:
[code:1]ip route 0.0.0.0 0.0.0.0 20.1.1.1 [/code:1]
2. Same security level interfaces in the Pix can NOT talk to each other by default. Since your having version 8, try the following command:
[code:1]same-security-traffic permit inter-interface[/code:1]
Another way is to assign the DATA and MANAGEMENT different security levels, but then you would need to configure NAT and/or static statements.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 9 months ago #33350
by ccnx
Replied by ccnx on topic Re: Intervlan routing on a PIX 525 security context
Hi Solo,
Thank you so much for your reply and you are correct (Same security level interfaces in the Pix can NOT talk to each other by default). I have tried both of your suggestion and they all work fine for me.
Best Regards,
CCNX
Thank you so much for your reply and you are correct (Same security level interfaces in the Pix can NOT talk to each other by default). I have tried both of your suggestion and they all work fine for me.
Best Regards,
CCNX
14 years 9 months ago #33356
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Intervlan routing on a PIX 525 security context
Glad to help ccnx 
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.122 seconds