PIX 506E Routing from Inside Interface network To outside interface network

PIX 506E Routing from Inside Interface network To outside interface network

Post by marti31 » Sat, 06 Aug 2005 07:48:20


I have a PIX 506E in which I want to route from a device on the inside
interface subnet to a device on the outside interface subnet. Here is
an example of what i want to do:


192.168.1.5 --> Computer on 192.168.1.0/24 network
192.168.1.1 --> IP address of inside interface on PIX


192.168.1.5 uses 192.168.1.1 as default GW
------------------------------?-----------------------------?----
192.168.2.5 --> Computer on 192.168.2.0/24 network
192.168.2.1 --> IP address of the outside interface on PIX


192.168.2.5 uses 192.168.2.1 as their gateway


I want to be able to communicate between subnets using the PIX as a
router. Basically I want 192.168.1.5 to be able to talk to 192.168.2.5

and vice versa.


Can someone please tell me if this is possible, and if it is, what
would the routing statements on the pix look like?
 
 
 

PIX 506E Routing from Inside Interface network To outside interface network

Post by roberso » Sat, 06 Aug 2005 11:50:21

In article < XXXX@XXXXX.COM >,

:I have a PIX 506E in which I want to route from a device on the inside
:interface subnet to a device on the outside interface subnet. Here is
:an example of what i want to do:

:192.168.1.5 --> Computer on 192.168.1.0/24 network
:192.168.1.1 --> IP address of inside interface on PIX
:192.168.1.5 uses 192.168.1.1 as default GW

:192.168.2.5 --> Computer on 192.168.2.0/24 network
:192.168.2.1 --> IP address of the outside interface on PIX
:192.168.2.5 uses 192.168.2.1 as their gateway

:I want to be able to communicate between subnets using the PIX as a
:router.

That isn't possible.

: Basically I want 192.168.1.5 to be able to talk to 192.168.2.5
:and vice versa.

:Can someone please tell me if this is possible,

No. There is no way to turn off Adaptive Security in PIX 5.x or PIX 6.x,
so the closest you can get is to allow connections in both directions.

What's the difference? Well, suppose that 192.168.2.5 had a TCP connection
open with 192.168.1.5, and that the connection was closed. Suppose
192.168.2.5 then tried to send further TCP packets to that port
(e.g., a "half-closed" situation.) Then if the PIX was acting as
a router, it would go ahead and pass on the packets, and 192.168.1.5
would do whatever it wanted with them (e.g., throw them away.)
However, because you cannot turn off the Adaptive Security Algorithm,
the PIX is going to discard those packets instead of routing them.

You can use the PIX to have regular normal connections between the
two sides, but you can't have the PIX act as a router in the
normal sense of the word.


:and if it is, what
:would the routing statements on the pix look like?

static (inside,outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

access-list out2in permit ip host 192.168.2.5 host 192.168.1.5
access-group out2in in interface outside

Notice the lack of 'route' statements. You do not need any
'route' statements on the PIX for communications between the
IP range of the inside and outside interfaces.

You *might* need to put a route statement into the WAN router, but
probably not, as the PIX will proxy ARP 192.168.1.5 when configured
as above.


Note: you wouldn't -usually- configure in this way. -Usually-
you would configure something more like

static (inside,outside) 192.168.2.4 192.168.1.5 netmask 255.255.255.255
access-list out2in permit ip host 192.168.2.5 host 192.168.2.4
access-group out2in in interface outside

In this configuration, 192.168.2.5 asks to talk to 192.168.2.4
and the PIX internally converts the destination to 192.168.1.5 .
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest