Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Firewall configuration

Dear All,

I need to have your suggestion on the following issue.

I have pix firewall installed.The inside interface address is 172.16.1.0 /24

This pix inside is connected to the outside interface of ISA server. The ISA inside connected to the router eth0 interface.

172.16.1.1(PIXINSIDE)-172.16.1.5(ISA-OUTSIDE)-172.18.1.5 (ISA-Inside)-172.18.1.1 (router eth0)

The problem is I can ping all the lower interface ip being in 172.16.1.0 network i.e pix inside network, but I can not ping the same lower interfaces from the 172.18.1.0 network which is behind ISA Firewall.Please note that the ISA act as brige all the ports are opened both in & out.

I used NAT (inside 0 0 0 0 0

also NAT (inside) 0 access-list no-nat with

access-list no-nat permit ip 172.18.10 255.255.255.0 any ---> NAT EXEMPTION

nO RESULT

Please reply asasp.

thanks

swamy

  • Other Security Subjects
5 REPLIES
Gold

Re: PIX Firewall configuration

you mentioned, "but I can not ping the same lower interfaces from the 172.18.1.0 network". just wondering if you are referring to the subnet that connected to the pix outside interface.

if so, then inbound acl is required for echo response on the pix. the reason being pix by default doesn't perform stateful inspection on icmp.

e.g. one way is to configure inbound acl

access-list 100 permit icmp any any eq echo-reply

access-group 100 in interface outside

New Member

Re: PIX Firewall configuration

Mr.Jackko,

The 172.18.1.0 network is behind ISA server. I can explain that the ISA server is between the PIX firewall and the 172.18.1.0 network. ISA inside NIC connected to the 172.18.1.0 network and the ISA server outsdie NIC connected to the PIX Inside network that is 172.16.1.0. other PIX's interfaces are DMZ1, DMZ2, DMZ3.We can ping all the dmzs from 172.16.1.0 not from 172.18.1.0.

In the pix firewall all high to lower interfaces are configured with identity NAT (NAT 0 )

Please help me

Swamy

Gold

Re: PIX Firewall configuration

just wondering if there is a route pointing to isa for the subnet 172.18.1.0 on the pix.

e.g. with the current pix config,

route inside 172.18.1.0 255.255.255.0 172.16.1.5

New Member

Re: PIX Firewall configuration

I had something like this happen to us. Are you maybe missing a route statement. Even though you may have an access-list, you will still need a route statement.

Gold

Re: PIX Firewall configuration

just wondering how you go.

248
Views
1
Helpful
5
Replies