Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with Servers using PIX outside INT as DGW

My problem is as follows:

I have a PIX 535 that has Inside/Outside Interfaces. The Inside is my network and the outside is a 3rd party vendor's network. The inside has a router the outside does not. The servers on the outside point to the PIX outside interface as their default gateway. In the PIX log, I see DENY logs for their traffic(I will post a log statement) going to anythin considered "outside". But their traffic is fine going from Outside to Inside. I will post a cleaned up(bogus IP's) config. Please help.

Actually, I don't have any log entries at this time but basically the message I got was any ip on the same subnet as the outside int going to any other outside network was denied with (no xlate) after the DENY INBOUND statement in the log entry. IF you need the actual DENY statement from the log, I will try to get it for you.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list no-nat permit ip 10.73.0.0 255.255.0.0 any

access-list no-nat permit ip 10.71.0.0 255.255.0.0 any

access-list no-nat permit ip 10.72.0.0 255.255.0.0 any

access-list no-nat permit ip 10.74.0.0 255.192.0.0 any

access-list no-nat permit ip 10.28.0.0 255.192.0.0 any

access-list blah_in permit icmp 10.71.33.0 255.255.255.0 any

access-list blah_in permit tcp 10.71.33.0 255.255.255.0 any

access-list blah_in permit udp 10.71.33.0 255.255.255.0 any

access-list blah_in permit ip 10.71.33.0 255.255.255.0 any

access-list blah_in deny ip any any

logging host inside x.x.x.x

logging host inside x.x.x.x

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 10.71.33.1 255.255.255.0

ip address inside 10.74.15.80 255.255.255.240

ip verify reverse-path interface outside

nat (inside) 0 access-list no-nat

static (inside,outside) 10.71.33.0 10.71.33.0 netmask 255.255.255.0 0 1000

access-group blah_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.71.33.1 1

route inside 10.74.0.0 255.192.0.0 10.74.15.77 1

route inside 10.28.0.0 255.192.0.0 10.74.15.77 1

route inside 10.71.0.0 255.255.0.0 10.74.15.77 1

route inside 10.72.0.0 255.255.0.0 10.74.15.77 1

route inside 10.73.0.0 255.255.0.0 10.74.15.77 1

2 REPLIES

Re: Problem with Servers using PIX outside INT as DGW

Hi,

please consider these points:

1. the pix has some router capabilities, but is not a full blown router. The PIX only routes traffic that goes through the PIX (eg from outside to inside). The PIX does not route traffic that arrives at one interface (eg outside) and leaves the PIX on that very same interface.

2. I can see that the outside interface has the address 10.71.33.1. This is also the default interface of the PIX (route outside 0.0.0.0 0.0.0.0 10.71.33.1 1 ). That doesn't make any sense. You should remove that line if possible or specify another default gateway

Kind Regards,

Tom

Anonymous
N/A

Re: Problem with Servers using PIX outside INT as DGW

Thank you for the quick response. I was thinking the same thing. Unfortunately I did not have the time to test that theory out. If anyone else has any insight on this problem, it would be welcomed.

81
Views
7
Helpful
2
Replies
CreatePlease to create content