Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
6
Replies

%PIX-3-106011

tantk
Level 1
Level 1

‎08-21-2002 10:11 PM - edited ‎03-09-2019 12:01 AM

Hi,

I've search through the forum for a solution and seems like all direct to the same text in the PIX 6.2 documentation.

Probably the best way to understand the problem is how the firewall is configured in the first place.

Mine (PIX) comprised of inside, outside and dmz. 3 interfaces at the moment. Under DMZ, there is another router (R)with two interfaces: one to the same network segment of the DMZ interface and the other to another subnet 192.168.88.0/24. In the PIX, I've configured nat (dmz) 1 0 0 0 0 and a global address. conduits and statics have been added for traffic between outside to dmz or dmz to inside and vice versa. Also added a route for the 192.168.88.0/24 subnet in the PIX to route it to the outside interface of (R).

In the DMZ segment, I have a WWW server. When I ping a host under the 192.168.88.0/24 segment. I started to get messages in the log like:

Aug 22 11:51:09 [A.B.C.D.2.2] Aug 22 2002 11:53:34: %PIX-3-106011: Deny inbound (No xlate) icmp src dmz:10.10.10.1 dst dmz:192.168.88.11 (type 0, code 0)

However I have no problem pinging the 192.168.88.0/24 hosts from PIX or hosts in the (inside) interfaces.

Error only comes from hosts located in the same segment where the (dmz) interface is connected when they try o ping to 192.168.88.0/24 segment.

Any clues?

Regards,

--

Tan Tshun Kiat (Mr)

Systems Administrator (Unix)

Information Technology Group

Institute For Communications Research

Labels:
0 Helpful
6 Replies 6

pgolding
Level 1
Level 1

‎08-21-2002 11:23 PM

pix will not route, that is it will not send a packet out the same interface it was received on. in this case you may have the default route from the www server pointing to the pix but no network route in the www host for the 192.168.88.0 subnet. add a static route in the host for the 192.168.88.0 subnet pointing to the dmz router address and test again.

0 Helpful

tantk
Level 1
Level 1
In response to pgolding

‎08-22-2002 12:52 AM

Sir,

That was what I did as a temporary solution on the www host. I added the route on the www, route add net 192.168.88.0 10.10.10.2 1.

If this is the only solution, then it would mean any hosts in dmz segment (same network segment) will have to perform the above tweak inorder to work. Seems quite a hassle. Any changes/ additions of subnet like 192.168.99.0/24 will require us to add the route on each individual hosts.

Ps: Thanks fo the quick response.

Regards,

--

TTK

0 Helpful

mike-greene
Level 4
Level 4
In response to tantk

‎08-22-2002 09:27 AM

Hi, sounds to me like you have a router-on-a-stick situation but you have two interfaces on the router. If one interface on the router is connected to your DMZ switch, the DMZ interface on the PIX is also connected to that switch. The second interface on the router goes to another switch that hosts the 192.168.88.0 subnet. I would think since the PIX will not pass traffic out the same interface it enters, the machines on the DMZ switch are going to have to default the routers interface on the DMZ and then go to the PIX. The machines on the routers second interface are going to are going to have to default to that interface (192.168.88.1...or whatever). There will then need to be a route statement in the PIX routing the 192.168.88.0 subnet to the DMZ interface on the router.

Make since or is this totally not what you’re looking for?

0 Helpful

tantk
Level 1
Level 1
In response to mike-greene

‎08-22-2002 04:21 PM

Hi,

Thanks. Yes, I had that statement inside the PIX all along. Without it, inside to dmz and vice versa will not work even thu the conduits or statics are in place.

route (dmz) 192.168.88.0 255.255.255.0 10.10.10.2 2

But it will not solve the problem I descibe. The temporary solution I used is to add a route inside each host on the same dmz segment saying

route add net 192.168.88.0 10.10.10.2 1

Which I think is not the ultimate solution. Because it will cause a hassle if there is an aditional segment like 192.168.99.0/24.

Regards,

--

TTK

0 Helpful

mike-greene
Level 4
Level 4
In response to tantk

‎08-22-2002 07:09 PM

Is this what your topology looks like? Are you using a Cisco router?

|

| outside

| |

| PIX |------>inside

|10.10.10.1

| DMZ

| DMZ |

|Switch|-------> http://www.server.com

|

|10.10.10.2 (outside interface on router)

| |

|Router|

| |

|192.168.88.1 (inside interface of router)

|

|

|

|Switch|------>192.168.88.x

If so you should be able to set the default gateway for the machines in the DMZ to 10.10.2.2(the routers interface on the DMZ subnet) , the router should be able (because it is a directly connected network on that router) to route that traffic to either the 192.168.88.0 subnet or send it out the same interface to the PIX DMZ interface with only one route statement in the router of 0.0.0.0 0.0.0.0 10.10.10.1. If you deside to add another subnet say off the router of 192.168.99.0, just give the routers inside interface (192.168.88.1) a second address of 192.168.99.1, add another route in the PIX like the one you have, and you should be good to go.

Sorry for the terrible drawing....

0 Helpful

tantk
Level 1
Level 1
In response to mike-greene

‎08-22-2002 07:57 PM

Hi,

Yes it works. 8-)

Thanks.

Regards,

--

Tan Tshun Kiat (Mr)

Systems Administrator (Unix)

Information Technology Group

Institute For Communications Research

0 Helpful
Customers Also Viewed These Support Documents