Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX v6.3 issue

hi,

my router connect in inside I have other subnet to reach Behind my Router (add 172.20.1.250) and i can ping to any subnet in outside

but not Behind my router but if i ping from my PIX it's Successful toward all subnet

I am connected in inside and my GW is 172.20.1.10

this is my config.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX v6.3 issue

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.

A router is a layer 3 IP routing device, design for routing IP subnet works.

If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,

besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-

static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

the above would:-

1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.

As you can see - the above is exactly 100% what a router does..... do you understand?

HTH>

9 REPLIES

Re: PIX v6.3 issue

Are you trying to ping from the "outside" to the "inside" ??

if so - you do not have any static nat translations for 172.20.1.250.

HTH>

New Member

Re: PIX v6.3 issue

i don't need ping from outside to inside

my objectify is:

from my PC (172.20.1.25 gw PIX) ping subnets behind my router(172.20.1.250)

test from my PC:

ping subnets outside--->OK

ping gw PIX ------->OK

ping gw Router---->OK

ping subnet behind Router----->NOK "problem"

Re: PIX v6.3 issue

Firstly you design is wrong, it is possible to do what you want using the PIX, but you will have to upgrade and do some complicated config.

1) You should not have a DG of the PIX if you have a layer 3 routing device in your network.

I suggest you do the following:-

Change the DG of your PC to 172.20.1.250.

In the router add a static route:-

ip route 192.168.1.0 255.255.255.0 172.20.1.10

This will fix your issues.

HTH>

New Member

Re: PIX v6.3 issue

thanks for your help,

but why should not have a DG of the PIX if you have a layer 3 routing device in your network?

I already test your suggest it's working fine.

yhanks

Re: PIX v6.3 issue

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.

A router is a layer 3 IP routing device, design for routing IP subnet works.

If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,

besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-

static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

the above would:-

1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.

As you can see - the above is exactly 100% what a router does..... do you understand?

HTH>

New Member

Re: PIX v6.3 issue

yes thank you very much.

Re: PIX v6.3 issue

np - glad to help.

New Member

Re: PIX v6.3 issue

hi

*Allow traffic recevied on the inside interface to be transmitted back out of the inside interface

why CMD i need to use for this?"access-list"

Re: PIX v6.3 issue

same-security-traffic permit intra-interface - is the command you need.

BUT as I have previsouly posted - you NEED to upgrade to either 7.x or 8.x of IOS.

HTH>

142
Views
5
Helpful
9
Replies
CreatePlease to create content