2 PIXes with their interfaces sharing the same switch and on the same VLAN.
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
2 PIXes with their interfaces sharing the same switch and on the same VLAN.
by Rudy Setiawan-2
::
Rate this Message:
Hi all,
I have some problem that I need some solution/advice :) I have two PIX'es * PIX A WAN is connected to Provider A * PIX B WAN is connected to Provider B * PIX A inside interface has the IP address of 10.15.1.1 * PIX B DMZ interface has the IP address of 10.15.1.2 * PIX B inside interface has the IP address of 10.17.1.1 * Subnet mask for all of the IP addresses 255.255.0.0 or /16 I disabled nat by way of nat 0 access-list to both PIXes and the interfaces as well (except the WAN). I have a "ip permit any any" applied to all interfaces except the WAN, A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to ssh to the server. But if I changed the gateway of the server to 10.15.1.2, then the user is able to ssh to the server. What am I doing wrong here? Thank you so much in advance for the help. Regards, Rudy _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN.
by stursa
::
Rate this Message:
Rudy Setiawan said: > Hi all, > > I have some problem that I need some solution/advice :) > > I have two PIX'es > * PIX A WAN is connected to Provider A > * PIX B WAN is connected to Provider B > * PIX A inside interface has the IP address of 10.15.1.1 > * PIX B DMZ interface has the IP address of 10.15.1.2 > * PIX B inside interface has the IP address of 10.17.1.1 > * Subnet mask for all of the IP addresses 255.255.0.0 or /16 > > I disabled nat by way of nat 0 access-list to both PIXes and the > interfaces > as well (except the WAN). > I have a "ip permit any any" applied to all interfaces except the WAN, > > A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a > server > in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to ssh > to the server. > But if I changed the gateway of the server to 10.15.1.2, then the user is > able to ssh to the server. > > What am I doing wrong here? Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then it's probably sending the server's packets out to the provider (how the ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2. -- It's not having what you want. It's wanting what you've got. - Sheryl Crow Scott L. Stursa CISSP, CCNP, MCSA _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN.
by Josh Ward
::
Rate this Message:
Rudy,
Depending on what version of PIX software you are running, you may be able to use the packet tracer to see what is going on. I believe they added it in 7.2. Try this command (changing your ingress interface name): packet-tracer input insideXX tcp 10.17.1.2 5555 10.15.1.10 ssh det The output should show you exactly how the pix is making a forward or drop decision. You can twiddle the second IP and see what is different between the two different destinations. -Josh -- Josh Ward <jward@...> Network Security Engineer - University of Oregon - Network Services PGP Fingerprint: CFB6 62C0 370B AD6D BA33 6034 8FFB 4A49 297F 6A4C Rudy Setiawan wrote: > Hi all, > > I have some problem that I need some solution/advice :) > > I have two PIX'es > * PIX A WAN is connected to Provider A > * PIX B WAN is connected to Provider B > * PIX A inside interface has the IP address of 10.15.1.1 > * PIX B DMZ interface has the IP address of 10.15.1.2 > * PIX B inside interface has the IP address of 10.17.1.1 > * Subnet mask for all of the IP addresses 255.255.0.0 or /16 > > I disabled nat by way of nat 0 access-list to both PIXes and the > interfaces as well (except the WAN). > I have a "ip permit any any" applied to all interfaces except the WAN, > > A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a > server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is > unable to ssh to the server. > But if I changed the gateway of the server to 10.15.1.2, then the user > is able to ssh to the server. > > What am I doing wrong here? > > Thank you so much in advance for the help. > > Regards, > Rudy > > > ------------------------------------------------------------------------ > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN.
by lordchariot-2
::
Rate this Message:
When you see pings get through, but TCP sessions do not, it's usually traced
down to statefulness and/or asymmetric routing. I don't do PIX/ASA, but I've run into this before on other firewalls. Something is not going out the same door it came in. > -----Original Message----- > From: firewall-wizards-bounces@... [mailto:firewall- > wizards-bounces@...] On Behalf Of Scott Stursa > Sent: Saturday, August 01, 2009 2:08 PM > To: rudy@...; Firewall Wizards Security Mailing List > Cc: firewall-wizards@... > Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same > switch andon the same VLAN. > > > Rudy Setiawan said: > > Hi all, > > > > I have some problem that I need some solution/advice :) > > > > I have two PIX'es > > * PIX A WAN is connected to Provider A > > * PIX B WAN is connected to Provider B > > * PIX A inside interface has the IP address of 10.15.1.1 > > * PIX B DMZ interface has the IP address of 10.15.1.2 > > * PIX B inside interface has the IP address of 10.17.1.1 > > * Subnet mask for all of the IP addresses 255.255.0.0 or /16 > > > > I disabled nat by way of nat 0 access-list to both PIXes and the > > interfaces > > as well (except the WAN). > > I have a "ip permit any any" applied to all interfaces except the WAN, > > > > A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a > > server > > in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to > ssh > > to the server. > > But if I changed the gateway of the server to 10.15.1.2, then the user > is > > able to ssh to the server. > > > > What am I doing wrong here? > > Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then > it's probably sending the server's packets out to the provider (how the > ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a > route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2. > > -- > It's not having what you want. > It's wanting what you've got. > - Sheryl Crow > > Scott L. Stursa > CISSP, CCNP, MCSA > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN.
by Dave Ballowe
::
Rate this Message:
The obvious thing to do is to add a static route on the server back to 10.17.0.0 via 10.15.1.2. Have you done that? Also, to know what exactly is going on, you might want to capture packets on the 10.15 network, either with a separate device or by using the capture command on the PIX. That will tell you what is really going on. Dave On 7/31/09 7:19 PM, "Rudy Setiawan" <rudal@...> wrote: Hi all, -- Dave Ballowe Mgr., STBU Engineering Cisco 5330 Airport Blvd MS BLDR01/3/4 Boulder, CO 80301 (720) 562-6399 _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN.
by Rudy Setiawan-2
::
Rate this Message:
Yes PIX A does have a route for 10.17.0.0/16 to PIX B DMZ IP.
If I take out that static route, I cant ping any of the hosts. I guess it was right that the asymmetric is the problem here, The PIX/any firewall should be smart enough to know how to handle that hehehe :) The temp solution that I had was just to change the gateway of the required servers to the PIX B DMZ. Thanks so much for the help everyone. Regards, Rudy _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN.
by Marjan Naumovski
::
Rate this Message:
Hi Rudy,
Are the two pix'es connected in other way besides the wan? For example A "lan" and B "dmz" are in the same network. If they are connected via these interfaces that explains why changing the gateway works. If you enable nat on B "dmz" you should be able to connect to the server. On Sat, 2009-08-01 at 08:19 +0700, Rudy Setiawan wrote: > Hi all, > > I have some problem that I need some solution/advice :) > > I have two PIX'es > * PIX A WAN is connected to Provider A > * PIX B WAN is connected to Provider B > * PIX A inside interface has the IP address of 10.15.1.1 > * PIX B DMZ interface has the IP address of 10.15.1.2 > * PIX B inside interface has the IP address of 10.17.1.1 > * Subnet mask for all of the IP addresses 255.255.0.0 or /16 > > I disabled nat by way of nat 0 access-list to both PIXes and the > interfaces as well (except the WAN). > I have a "ip permit any any" applied to all interfaces except the WAN, > > A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a > server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is > unable to ssh to the server. > But if I changed the gateway of the server to 10.15.1.2, then the user > is able to ssh to the server. > > What am I doing wrong here? > > Thank you so much in advance for the help. > > Regards, > Rudy > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards Marjan Naumovski System & Security Engineer ISP Neotel - Skopje marjan.naumovski@... Tel: +389 2 5511 141 mob: +389 75 446 503 _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
