Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
6
Replies

Cisco PIX 506e with multiple internal networks

rick.olson
Level 1
Level 1

‎05-26-2007 08:53 PM - edited ‎03-03-2019 05:09 PM

My configuration is not very complex, yet I'm not achieving the results I want.

Our 506e connects on the outside to a T1. On the inside interface, it plugs directly into a switch. Also plugged into the switch is another router which connects to another network. The IP's are as follows:

PIX Internal: 192.168.4.1

Router (Network A side): 192.168.4.2

Router (Network B side): 192.168.1.1

At present, Network A (192.168.4.0) is able to access the internet through the PIX just fine. Network A is also able to communicate just fine with Network B. However, Network B is unable to access the internet (which it must do so via the PIX in Network A).

I'm not sure where to look, what to try, etc. Any hints to the direction I should look would be great.

Labels:
0 Helpful
6 Replies 6

Amit Singh
Cisco Employee
Cisco Employee

‎05-26-2007 10:34 PM

Rick,

Its kinda hard to predict the topology that you have by expalantion, a brief topology diagram will help undertanding it clear.

Where and how is router B connected on the PIX.Does the router B also located on inside interface of the PIX.If yes, Have you tried adding a default route on router B towards the Pix inside interface. like

ip route 0.0.0.0 0.0.0.0 192.168.4.1

Also, try adding the reverse routes on the PIX for the ip subnets located on router B.

HTH,

-amit singh

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎05-27-2007 02:39 AM

Hi

I agree with Amit in that the most likely culprit is that the pix does not know how to get to the 192.168.1.x network.

Can you ping any 192.168.1.x addresses from the pix ?

If not try this on the pix

pix(config)# route inside 192.168.1.0 255.255.255.0 192.168.4.2

HTH

Jon

0 Helpful

rick.olson
Level 1
Level 1
In response to Jon Marshall

‎05-27-2007 08:25 AM

I can indeed ping one of the servers on the 192.168.1.x network (it's 1.100) from the PIX. I can also, from that 1.100 server, ping the LAN side of the PIX. However beyond that it won't go.

When I try to go to a website, the status bar on the brower will say "Connecting to site x.x.x.x" but it will not go.

As for the topology, perhaps I can explain it a bit better.

We're implementing an MPLS network using AdTran routers at each site. For now, we're only working on two sites (site A and site B). Site A is our main site (192.168.4.x) and Site B is our remote site (192.168.1.x). The AdTran router at Site A is 192.168.4.2, and the PIX is 4.1.

At first I thought perhaps the AdTran router at Site A needed a routing entry for the PIX. Right now traffic comes in and it appears as if it hits one of our Windows Server 2003 machines that has RRAS installed (the only thing this RRAS machine is doing is creating a static route to the 192.168.1.x network).

I hope this helps....thanks for your suggestions so far.

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee

‎05-27-2007 08:41 AM

I would like to check few things here :

1. What is the gateway set on the hosts that are on Site B.

2.What happens when you try to " tracert yahoo.com " from one of the PC in Site B.

3. Check if you have allowed the 192.168.1.x network on the PIX. i.e you are natting that address range on the PIX to access the interrnet.

4. Finally config from both the PIX and Site B routers would help.

HTH,Please rate if it does.

-amit singh

0 Helpful

rick.olson
Level 1
Level 1
In response to Amit Singh

‎05-27-2007 09:30 AM

Site B hosts are set for 192.168.1.1 as their gateway (the AdTran router at the site). When we try a tracert from site B it hits the WAN side of the Site B router, the WAN side of the Site A router and then stops. It doesn't seem to even reach the PIX device, yet I can ping the PIX device from Site B just fine.

I don't have much experience using the command line for the PIX...all of my configurations have been using the PDM GUI. On the "Hosts/Networks" configuration screen for the "inside" interface I've added a Network object for the 192.168.1.0 network. I've defined a static route of 192.168.4.2 with metric of 2. For the NAT screen, I chose to use the same settings that the 192.168.4.0 network uses which are: Address Pool ID of 1, and a Dynamic NAT using the WAN side of the PIX as the address.

NAT sort of confuses me, so I'm not quite sure if I've established the correct settings or not for it.

I should also mention that the AdTran routers for both Site A and Site B came pre-configured by Qwest.

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee
In response to rick.olson

‎05-27-2007 09:38 AM

Rick,

Your router config's and routing part of PIX seems to be fine. As you are reaching the PIX and vice-versa. I think we need to check the PIX config finally. If you can get to the PIX CLI, please take the output of the PIX config and paste it here. Do the config

Config t

Show config

HTH,

-amit singh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card