Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX FIREWALL PROBLEM

I recently installed a PIX firewall with three interfaces and NAT . The network layout is like as follows :

The network behind internal interface has a 4700 router with multiple WAN ports and LAN ports. From this router there are three more networks. i.e.

The internal interface is on the network 166.107.220.0 with a subnet mask of 255.255.254.0. The 4700 ethernet port has ip 166.107.220.1. The internal interface ip is 166.107.220.3.

The 4700 router caters to following network using its WAN ports :

166.107.222.0/24 ; 166.107.19.0/24;

The external interface ip is 166.107.250.226/27. This is connected to a router with ethernet ip 166.107.250.225/27. This router connectes the LAN to the outside world.

After configuring the PIX and the routers, The users on the network 166.107.220.0 are able to access the internet etc. etc.. But the users on 166.107.222.0 and 166.107.19.0 are not.

Please help to resolv this issue.

thanks

srin

3 REPLIES

Re: PIX FIREWALL PROBLEM

Does the PIX have a route to those 2 internal networks (can the PIX ping those subnets)?

Are those 2 networks part of the nat command (eg nat (inside) 1 0 0)?

Any access-list?

Hope it helps

Steve

New Member

Re: PIX FIREWALL PROBLEM

Hi

Yes the PIX has route to these 2 internal networks with route (inside) command pointing to router interface connected to the inside interface of the PIX i.e

the inside interface is 166.107.220.3 . The router on this network is 166.107.220.1. One of the test node on those network i.e 166.107.222.4 can ping to 166.107.220.3. But it cannot ping outside interface on PIX. The nodes on 166.107.220.0 network can ping to outside of the PIX.

The NAT command is NAT (inside) 1 0 0 and is assumed that all the networks beyond 166.107.220.0 network , is taken care with this command.

The accesslist are applied to allow any any for tcp and icmp.

Re: PIX FIREWALL PROBLEM

Your 166.107.220.0 inside hosts also can't ping the outside interface of the PIX, can they?

Small chance here but are you using NAT or PAT? If NAT, do you have enough addresses?

What does the show log or syslog show when those 2 networks try to go outside?

DNS setup for those networks (nslookups work?)?

Can you post the config minus passwords?

Steve

96
Views
0
Helpful
3
Replies
CreatePlease to create content