Solved: PIX v6.3 issue

youssef_1985 · ‎10-11-2008

hi,

my router connect in inside I have other subnet to reach Behind my Router (add 172.20.1.250) and i can ping to any subnet in outside

but not Behind my router but if i ping from my PIX it's Successful toward all subnet

I am connected in inside and my GW is 172.20.1.10

this is my config.

andrew.prince · ‎10-14-2008

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.

A router is a layer 3 IP routing device, design for routing IP subnet works.

If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,

besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-

static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

the above would:-

1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.

As you can see - the above is exactly 100% what a router does..... do you understand?

HTH>

View solution in original post

andrew.prince · ‎10-12-2008

Are you trying to ping from the "outside" to the "inside" ??

if so - you do not have any static nat translations for 172.20.1.250.

HTH>

youssef_1985 · ‎10-14-2008

i don't need ping from outside to inside

my objectify is:

from my PC (172.20.1.25 gw PIX) ping subnets behind my router(172.20.1.250)

test from my PC:

ping subnets outside--->OK

ping gw PIX ------->OK

ping gw Router---->OK

ping subnet behind Router----->NOK "problem"

andrew.prince · ‎10-14-2008

Firstly you design is wrong, it is possible to do what you want using the PIX, but you will have to upgrade and do some complicated config.

1) You should not have a DG of the PIX if you have a layer 3 routing device in your network.

I suggest you do the following:-

Change the DG of your PC to 172.20.1.250.

In the router add a static route:-

ip route 192.168.1.0 255.255.255.0 172.20.1.10

This will fix your issues.

HTH>

youssef_1985 · ‎10-14-2008

thanks for your help,

but why should not have a DG of the PIX if you have a layer 3 routing device in your network?

I already test your suggest it's working fine.

yhanks

andrew.prince · ‎10-14-2008

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.

A router is a layer 3 IP routing device, design for routing IP subnet works.

If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,

besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-

static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

the above would:-

1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.

As you can see - the above is exactly 100% what a router does..... do you understand?

HTH>

youssef_1985 · ‎10-14-2008

yes thank you very much.

andrew.prince · ‎10-14-2008

np - glad to help.

youssef_1985 · ‎10-14-2008

hi

*Allow traffic recevied on the inside interface to be transmitted back out of the inside interface

why CMD i need to use for this?"access-list"

andrew.prince · ‎10-14-2008

same-security-traffic permit intra-interface - is the command you need.

BUT as I have previsouly posted - you NEED to upgrade to either 7.x or 8.x of IOS.

HTH>