Skip to main content

Intervlan routing on a PIX 525 security context

More
14 years 10 months ago #33299 by ccnx
Hi everyone,

I have been having some problems with configuring a security context on PIX 525 to do intervlan routing.


The topology of my test lab is simple. I have a PIX 525 firewall security context enabled and assigned with 2 interfaces with security level set to 1. IP addressing details for those interfaces can be found from below.

On the other hand, i have another 2 x 1700 routers configured and each router connected to the PIX 525. for testing purpose, i added a loopback interface on both routers with different subnet and my intention is to allow both router to reach its neighbour's subet through a PIX firewall. In another word, PIX needs to be configured as a transition path so why we come to the topic of "Intervlan routing".

loopbackA-->Router 1 ---uplink1--> PIX <-- uplink 2 -- Router 2 <--loopbackB


Uplink 1: 10.1.1.0 /30
Uplink 2: 20.1.1.0 /30
Loopback A: 192.168.1.0/24
Loopback B: 172.16.1.0/24

configs:

###########
PIX Context
###########

PIX Version 8.0(4) <context>
!
hostname CORE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif DATA
security-level 1
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet1
nameif MANAGEMENT
security-level 1
ip address 20.1.1.1 255.255.255.252
!
access-list DATA_access_in extended permit ip any any log
access-list DATA_access_in extended permit icmp any any log
access-list MANAGEMENT_access_in extended permit ip any any log
access-list MANAGEMENT_access_in extended permit icmp any any log
pager lines 24
mtu DATA 1500
mtu MANAGEMENT 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DATA
icmp permit any MANAGEMENT
no asdm history enable
arp timeout 14400
access-group DATA_access_in in interface DATA
access-group MANAGEMENT_access_in in interface MANAGEMENT

route DATA 192.168.1.0 255.255.255.0 10.1.1.2 1
route MANAGEMENT 172.16.1.0 255.255.255.0 20.1.1.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept

Cryptochecksum:d447c7ce52cb50368230aae8245431e7

: end


########
Router 1
########

inter fa0

ip add 10.1.1.2 255.255.255.252
no shut

inter loopback 1

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!
end


#########
Router 2
#########

inter fa0

ip add 20.1.1.2 255.255.255.252
no shut

inter loopback 1

ip add 172.16.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!
end

**
After I finished configuring everything as above, i did ping test and the result is as below

Router 1 -> 10.1.1.1 -> ok
Router 2 -> 20.1.1.1 -> ok
Router 1 - > Router2's loopback -> fail
Router 2 -> Router1's loopback -> fail
PIX - > Router1's loopback -> ok
PIX - > Router2's loopback -> ok

**As you may see from above PIX config that I have both static routes added with each pointing to different subnets and both router should be able to reach each other. However, it failed and could any1 with exp please help?

Thanks :roll:

CCNX

[/img]
More
14 years 10 months ago #33333 by S0lo
I had a peek at it. Everything seams OK except for two things:

1. In Router2 config the line:

[code:1]ip route 0.0.0.0 0.0.0.0 10.1.1.1 [/code:1]

Should be changed to:

[code:1]ip route 0.0.0.0 0.0.0.0 20.1.1.1 [/code:1]


2. Same security level interfaces in the Pix can NOT talk to each other by default. Since your having version 8, try the following command:

[code:1]same-security-traffic permit inter-interface[/code:1]

Another way is to assign the DATA and MANAGEMENT different security levels, but then you would need to configure NAT and/or static statements.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 10 months ago #33350 by ccnx
Hi Solo,

Thank you so much for your reply and you are correct (Same security level interfaces in the Pix can NOT talk to each other by default). I have tried both of your suggestion and they all work fine for me.

Best Regards,

CCNX
More
14 years 10 months ago #33356 by S0lo
Glad to help ccnx :)

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.143 seconds