Hi Mahmood,

but when PIX is able to reach the 192.168.200.1, why not the PC which is having the gateway IP address of PIX can't reach 192.168.200.1?

any more suggestions, mahmood i am not clear with your answer, it doesn't contain anything value points on to it.

Hello there,

The issue here is to do with ICMP.

When your pc sends out a ping to 192.168.200.1 it realises that it is not on the same subnet and thus sends the request to it's default gateway - in your case - the PIX firewall.

The PIX firewall then recieves the request for 192.168.200.1 and knows that it's beck through the interface it come in on. So what should happen is it will send your PC an ICMP redirect message to tell you where to find the network (via the 3com switch rather than the PIX)

This is an option that needs to be turned on for the PIX.

The better way to do it would be to point the PC's default gateway to the 3com switch. Then you should have no problems!

Hope this helps,

LH

** Please rate all posts **

3COM switch has got 2 ip address,

172.16.0.100

192.168.200.1

default gateway ip address is 172.16.0.254

----------------------------------------------

PIX IP address 172.16.0.254

route inside 192.168.200.0 255.255.255.0 172.168.0.100

----------------------------------------------

PC ip address 172.16.0.82

gateway ip address is 172.16.0.254. this is what i have set already.

any suggestions?

this is the message i get in the log on the pix for the above.

Jun 21 11:13:25 172.16.0.254 %PIX-3-106011: Deny inbound (No xlate) icmp src inside:172.16.0.82 dst inside:192.168.200.1 (type 8, code 0

Hi there,

The problem here is the icmp redirect on the PIX.

The easiest way to sort this is to make the default gateway of your PC the 3com switch (172.16.0.100) - try that and let me know how it goes!

LH

** Please rate all posts **

hey,

as i mentioned in the previous post, if i set 172.16.0.100 as the gateway to my PC, it works fine, only if i set the PIX(172.16.0.254) as a gateway to the PC it is not working.

my question again is, if PIX could able to reach 192.168.200.1, then why not my pc having gateway ip address as PIX is not able to ping.

Hello,

The problem is to do with icmp redirecting on the PIX.

The traffic flow will not go in nto the PIX and then out from the PIX back out of the same interface it came in on to the 3COM switch.

The PIX will send your PC an icmp redirect message and your PC will send the traffic straight to the 3COM switch.

On the 3COM switch, the imcp redirect will be on by default. On the PIX icmp redirects are turned off for security reasons.

Have a look at this question (at the bottom) on this page:-

Q. Can I operate the PIX in a "one armed" configuration?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

Have a look here for more information on icmp:-

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

http://en.wikipedia.org/wiki/ICMP_Redirect_Message

Hope that helps!

LH

** Please rate all posts **

Oh no,

the explanation for what exactly i am looking for is really superb "Q. Can I operate the PIX in a "one armed" configuration? " & i do agree with that, but ultimately now i need to rely on 3COM not on Pix to set as a gateway.

any how thanks for the link providing.