02-24-2007 12:57 PM - edited 03-11-2019 02:38 AM
I have PIX 515 that I am trying to get to point out to the internet through a 2811.
I can get to the internet through the 2811 if I connect directly to the router, however through the PIX I'm running into some problems.
Router Details:
Internal IP:
192.168.254.2 255.255.255.0
X.X.3.252 255.255.255.240 secondary
External IP:
X.X.1.30 255.255.255.252
Firewall:
Internal IP:
192.168.254.3 255.255.255.0
External IP:
X.X.3.238 255.255.255.240
Now, I can ping the internal interface of the router from the external interface of the PIX, but I cannot get to the external interface of the router from anywhere in the PIX.
I'm pretty sure it has to be a routing issue on the PIX... but I could be very, very wrong. Any help would be greatly appreciated!
02-24-2007 02:46 PM
Hi
Could be a number of things. When you say "from anywhere in the pix" do you mean from DMZ's / internal networks ?.
If so things to check
1) Routing as you mentioned. Generally speaking you would want a default route on the pix pointing to the 2811.
2) Nat on the pix. Are you doing it or not.
3) access-lists on the pix. If you are pinging from inside the pix to the router you will need an access-list on the outside interface of your pix allowing the ping back in as icmp is not stateful.
Could you explain where you are trying to ping from and send a sanitised copy of the pix config.
HTH
Jon
02-26-2007 09:48 AM
I had no access-list on the pix to allow ICMP back in. Thanks for the heads up.
Now I have a seperate problem:
I cannot telnet into my routers internal interface from behind the firewall. Any thoughts on what might be causing this?
02-26-2007 10:59 AM
Hi
Have you allowed telnet from the host you are trying to get to ? eg assuming you are connecting from 192.168.5.2 on the pix in config mode
telnet 192.168.5.2 255.255.255.255 inside
HTH
Jon
02-26-2007 12:34 PM
I have a default rule that allows all inside traffic out, this includes telnet. I can telnet into smtp servers, etc. outside the router.
I just cant telnet into the inside interface of my router.
That interface has two IP's:
a private address: 192.168.254.2
a public address: X.X.3.225 (secondary)
Now here's the strange thing, I cant telnet to the 192.168 address, nor can I ping it. However, I can ping the .3.225 secondary address. Strange, they are both on the same interface, shouldnt I be able to hit both of them?
02-26-2007 11:54 PM
Hi
Sorry my mistake, i mis read and thought you were talking about telnet to the pix.
Right. Does your router have a route back to the host you are pinging from ?
Can you ping both router addresses on the internal interface from your pix.
What you could do is do a bit of debugging on the pix ie
debug packet outside dst 192.168.254.2
debug packet outside src 192.168.254.2
If you then telnet you should be able to see the packets going back and forth.
(Be careful with the debug. If there is a lot of traffic going through your pix best to do it in a quiet period).
Jon
02-27-2007 07:40 AM
First off, thanks for the help Jon, much appreciated.
Second off, I cannot ping the private 192 address, however I can ping the public X.X.3.225 address.
I'll give debugging a shot and see if I cant get some more info.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide