Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't get through PIX firewall

Hello all,

I am using a PIX 515E with two interfaces and can't get out from the inside to the outside interface. I don't need or want NAT.

The network is configured as follows...

router <---> pix <----> switch

Without the PIX the router's address is 192.168.1.1 and everything works great. After inserting the PIX I changed the router's address to 192.168.2.1 255.255.255.0.

The PIX is configured as follows.

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

I also created and applied an access-list to the outside and inside interface that allows icmp packets.

When I telnet into the PIX from the inside network I can ping the inside network but can't ping the router. From the inside network I can ping the inside interface but not the outside interface.

Can anyone tell me what I have missed or am doing wrong?

Thanks in Advance

Warren Johnson

  • Other Security Subjects
4 REPLIES
Cisco Employee

Re: Can't get through PIX firewall

Warren,

I have a few suggestions.

1st, I would get rid of your NAT 0 configuration. NAT0 is *always* a bad idea, unless you are by-passing nat for a VPN tunnel.

If you don't want a network to be translated, I would highly advise that you static the network to itself,

i.e. static (inside,outside) 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

2nd, the router probably needs to have it's arp-cache cleared with the command "clear arp"

I would issue that command on the Router as well as the PIX.

3rd, Have you verified that there is a route on your router pointing to the 192.168.1.0/24 network? Make sure that it is reachable via the PIX on the router..

i.e

ip route 192.168.1.0 255.255.255.0 192.168.2.2

Hope that helps

-Bryan

New Member

Re: Can't get through PIX firewall

Bryan,

Thanks, I haven't tried your suggestions yet, but I'm sure the 3rd suggestion is one of the problems. I forgot to add the route back after changing the IP address on the router.

Thanks again.

Warren

Cisco Employee

Re: Can't get through PIX firewall

Warren,

Anytime. I hope it works out for you

-Bryan

New Member

Re: Can't get through PIX firewall

Bryan,

I have a few more questions :-).

1. You seem to know what your talking about when you say not to use NAT 0, but I was wondering if you could enlighten me as to the reasons for that.

2. By not using NAT on the PIX does the PIX then become a transparent device as far as routing goes. Will any routes or tunnels that I have setup on the router still work?

Thanks again for your help.

Warren

97
Views
0
Helpful
4
Replies
This widget could not be displayed.