cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
3
Helpful
2
Replies

Routable network "behind" PIX

cjdoidge
Level 1
Level 1

Hi guys,

Just wonder if you can give me an idea how to sort out a situation when I have 2 subsequent subnets of /29 bits each, one of them is "in front" of PIX515 (OS ver. 7.1) and the second is "behind". For some reason when I asked ISP to just specify external IP address of PIX as a gateway for second subnet on their router, I couldn't get things connected. However when I've asked to revert things back to what is was before (single /28 bits subnet behind ISP's router, in front of PIX) one of hosts behind PIX has suddenly started sending/receiving traffic through PIX. The other host with similar network settings (just next IP address, belonging to the same subnet as first device) still doesn't behave.

I know that PIX isn't a router, it doesn't work with IP headers, but I just need to know what exactly needs to be done on PIX/hosts/ISP's router to get subnet "behind" PIX routed through?

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi

There is no reason why this shouldn't have worked. Presumably when the ISP added the route for the subnet behind the pix they and you updated the subnet mask on

1) The outside interface of your pix

2) The inside interface of the ISP router.

If the subnet masks weren't updated then this could cause it not to work.

The other option you have is to use private addressing on your internal machines and setup static NAT entries on the pix for these machines using some of the public addressiing from the /28 subnet.

HTH

Jon

micheljoh
Level 1
Level 1

Hi

Well i am not sure i understand your question correctly, but for traffic going from a lower secrutity interface (outside) to a higher security interface (inside) it needs to either have a state or a access-list and a translation permitting the trafic.

one problem you can have if you added the access-list is that from the inside interface you added dynamic nat example:

nat (inside) 1 0 0

global (outside) 1 interface

what you do then is translating all your inside network ip?s to the outside interface adress.

If this is the case try create an access-list

where you deny inside to specific outside trafic in the nat statement example:

access-list no-nat permit ip X.x.x.x x.x.x.x y.y.y.y y.y.y.y

x= inside network

y= outside network

and then apply it on the nat statement:

nat (inside) 0 access-list no-nat

nat (inside) 1 0 0

global (outside) 1 interface

Hope i understood the question correctly and this help you let me know otherwise!

Regards//Michel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: