I've search through the forum for a solution and seems like all direct to the same text in the PIX 6.2 documentation.
Probably the best way to understand the problem is how the firewall is configured in the first place.
Mine (PIX) comprised of inside, outside and dmz. 3 interfaces at the moment. Under DMZ, there is another router (R)with two interfaces: one to the same network segment of the DMZ interface and the other to another subnet 192.168.88.0/24. In the PIX, I've configured nat (dmz) 1 0 0 0 0 and a global address. conduits and statics have been added for traffic between outside to dmz or dmz to inside and vice versa. Also added a route for the 192.168.88.0/24 subnet in the PIX to route it to the outside interface of (R).
In the DMZ segment, I have a WWW server. When I ping a host under the 192.168.88.0/24 segment. I started to get messages in the log like:
Aug 22 11:51:09 [A.B.C.D.2.2] Aug 22 2002 11:53:34: %PIX-3-106011: Deny inbound (No xlate) icmp src dmz:10.10.10.1 dst dmz:192.168.88.11 (type 0, code 0)
However I have no problem pinging the 192.168.88.0/24 hosts from PIX or hosts in the (inside) interfaces.
Error only comes from hosts located in the same segment where the (dmz) interface is connected when they try o ping to 192.168.88.0/24 segment.
pix will not route, that is it will not send a packet out the same interface it was received on. in this case you may have the default route from the www server pointing to the pix but no network route in the www host for the 192.168.88.0 subnet. add a static route in the host for the 192.168.88.0 subnet pointing to the dmz router address and test again.
That was what I did as a temporary solution on the www host. I added the route on the www, route add net 192.168.88.0 10.10.10.2 1.
If this is the only solution, then it would mean any hosts in dmz segment (same network segment) will have to perform the above tweak inorder to work. Seems quite a hassle. Any changes/ additions of subnet like 192.168.99.0/24 will require us to add the route on each individual hosts.
Hi, sounds to me like you have a router-on-a-stick situation but you have two interfaces on the router. If one interface on the router is connected to your DMZ switch, the DMZ interface on the PIX is also connected to that switch. The second interface on the router goes to another switch that hosts the 192.168.88.0 subnet. I would think since the PIX will not pass traffic out the same interface it enters, the machines on the DMZ switch are going to have to default the routers interface on the DMZ and then go to the PIX. The machines on the routers second interface are going to are going to have to default to that interface (192.168.88.1...or whatever). There will then need to be a route statement in the PIX routing the 192.168.88.0 subnet to the DMZ interface on the router.
Make since or is this totally not what youre looking for?
If so you should be able to set the default gateway for the machines in the DMZ to 10.10.2.2(the routers interface on the DMZ subnet) , the router should be able (because it is a directly connected network on that router) to route that traffic to either the 192.168.88.0 subnet or send it out the same interface to the PIX DMZ interface with only one route statement in the router of 0.0.0.0 0.0.0.0 10.10.10.1. If you deside to add another subnet say off the router of 192.168.99.0, just give the routers inside interface (192.168.88.1) a second address of 192.168.99.1, add another route in the PIX like the one you have, and you should be good to go.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...