pix 501, static route to d-link router (different subnet)

Question

I have pix 501 cisco firewall with internal ip 192.168.10.1. I have connected d-link router (dir-655) to pix 501. The d-link router has internal ip 192.168.0.1

The picture would like something like that:

|pix 501| has 192.168.10.1 ip
|DIR-655| has 192.168.0.1 ip

1. |cable modem|----|pix 501|-------|DIR-655|-----PC
2. PC--------|pix 501|---------|DIR-655|
               |
               |
        |cable modem|

When I'm on the wireless network (dir-655) with assigned ip of 192.168.0.x I can cross the subnet and connect to my firewall 192.168.10.1. (pic. 1)

The problem is that if I'm on the 192.168.10.x network I can't connect to anything over at 192.168.0.x network. (pic.2)

I've tried entering a static route like this:

`route inside 192.168.0.0 255.255.255.0 192.168.10.1 1`

I also tried assigning static ip to wan interface on DIR-655 to 192.168.10.30 and then tried this:

route inside 192.168.0.0 255.255.255.0 192.168.10.30 1

But still, can't connect to 192.168.0.1 or anything on that subnet.

Is there a way to setup a static route? Would adding a separate router between PIX 501 and DIR-655 help?

I would think that static route like this should take care of it, but it doesn't.

This is my route config and nat:

(config)# sh route
outside 0.0.0.0 0.0.0.0 (outside_IP) 1 DHCP static
outside (outside_IP) 255.255.248.0 (outside_IP) 1 CONNECT static
inside 192.168.0.0 255.255.255.0 192.168.10.1 1 OTHER static
inside 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static

or (route inside 192.168.0.0 255.255.255.0 192.168.10.30 1)

(config)# sh nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I ended up turning DIR-655 into an Access Point (turning off DHCP and pluging cable from PIX lan interface into one of the LAN interfaces on DIR-655, and leaving WAN port empty), that works as far as DIR-655 being on the same subnet now, and I can access every machine. However the question is, why can't I simply route between those two? would router between these two help? One of the reasons is, that the PIX 501 has only 10 licences, so now I'm using almost all of them. (I have few computers, iphones, ps3, print server, etc.)

I would really appreciate some help! Thanks.

Answer 1

adding a router isn't going to help. I would look at configuring zones/trust values on your pix. working in one direction and not the other tells me one is more trusted than the other, so ESTABLISHED return traffic gets there. i don't see it as a routing problem, but a trust problem. on newer cisco ASA's they pass traffic across all ports until you define groups, but on the older 501's I seem to remember fail closed instead of fail open.

an alternate possibility is some goofiness with the integrated switch forwarding to wifi - but this would be a firmware but - unlikely.

edit: nameif is the command you should be looking at I think:
http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/mr.html#wpmkr1026055

I would look at putting the different IP ranges in different zones with equal security values.