cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
423
Views
1
Helpful
5
Replies

PIX Firewall configuration

arumugasamy
Level 1
Level 1

Dear All,

I need to have your suggestion on the following issue.

I have pix firewall installed.The inside interface address is 172.16.1.0 /24

This pix inside is connected to the outside interface of ISA server. The ISA inside connected to the router eth0 interface.

172.16.1.1(PIXINSIDE)-172.16.1.5(ISA-OUTSIDE)-172.18.1.5 (ISA-Inside)-172.18.1.1 (router eth0)

The problem is I can ping all the lower interface ip being in 172.16.1.0 network i.e pix inside network, but I can not ping the same lower interfaces from the 172.18.1.0 network which is behind ISA Firewall.Please note that the ISA act as brige all the ports are opened both in & out.

I used NAT (inside 0 0 0 0 0

also NAT (inside) 0 access-list no-nat with

access-list no-nat permit ip 172.18.10 255.255.255.0 any ---> NAT EXEMPTION

nO RESULT

Please reply asasp.

thanks

swamy

5 Replies 5

jackko
Level 7
Level 7

you mentioned, "but I can not ping the same lower interfaces from the 172.18.1.0 network". just wondering if you are referring to the subnet that connected to the pix outside interface.

if so, then inbound acl is required for echo response on the pix. the reason being pix by default doesn't perform stateful inspection on icmp.

e.g. one way is to configure inbound acl

access-list 100 permit icmp any any eq echo-reply

access-group 100 in interface outside

Mr.Jackko,

The 172.18.1.0 network is behind ISA server. I can explain that the ISA server is between the PIX firewall and the 172.18.1.0 network. ISA inside NIC connected to the 172.18.1.0 network and the ISA server outsdie NIC connected to the PIX Inside network that is 172.16.1.0. other PIX's interfaces are DMZ1, DMZ2, DMZ3.We can ping all the dmzs from 172.16.1.0 not from 172.18.1.0.

In the pix firewall all high to lower interfaces are configured with identity NAT (NAT 0 )

Please help me

Swamy

just wondering if there is a route pointing to isa for the subnet 172.18.1.0 on the pix.

e.g. with the current pix config,

route inside 172.18.1.0 255.255.255.0 172.16.1.5

flopez
Level 1
Level 1

I had something like this happen to us. Are you maybe missing a route statement. Even though you may have an access-list, you will still need a route statement.

just wondering how you go.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: