PIX v6.3 issue

Answered Question
Oct 11th, 2008
User Badges:

hi,

my router connect in inside I have other subnet to reach Behind my Router (add 172.20.1.250) and i can ping to any subnet in outside

but not Behind my router but if i ping from my PIX it's Successful toward all subnet


I am connected in inside and my GW is 172.20.1.10


this is my config.



Attachment: 

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.


A router is a layer 3 IP routing device, design for routing IP subnet works.


If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,


besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-


static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0


same-security-traffic permit intra-interface


the above would:-


1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.


As you can see - the above is exactly 100% what a router does..... do you understand?


HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
youssef_1985 Tue, 10/14/2008 - 01:37
User Badges:

i don't need ping from outside to inside

my objectify is:

from my PC (172.20.1.25 gw PIX) ping subnets behind my router(172.20.1.250)


test from my PC:

ping subnets outside--->OK

ping gw PIX ------->OK

ping gw Router---->OK

ping subnet behind Router----->NOK "problem"

Firstly you design is wrong, it is possible to do what you want using the PIX, but you will have to upgrade and do some complicated config.


1) You should not have a DG of the PIX if you have a layer 3 routing device in your network.



I suggest you do the following:-


Change the DG of your PC to 172.20.1.250.


In the router add a static route:-


ip route 192.168.1.0 255.255.255.0 172.20.1.10


This will fix your issues.


HTH>


youssef_1985 Tue, 10/14/2008 - 02:17
User Badges:

thanks for your help,


but why should not have a DG of the PIX if you have a layer 3 routing device in your network?


I already test your suggest it's working fine.


yhanks



Correct Answer

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.


A router is a layer 3 IP routing device, design for routing IP subnet works.


If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,


besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-


static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0


same-security-traffic permit intra-interface


the above would:-


1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.


As you can see - the above is exactly 100% what a router does..... do you understand?


HTH>

youssef_1985 Tue, 10/14/2008 - 03:44
User Badges:

hi


*Allow traffic recevied on the inside interface to be transmitted back out of the inside interface


why CMD i need to use for this?"access-list"

Actions

This Discussion