I have a PIX 535 that has Inside/Outside Interfaces. The Inside is my network and the outside is a 3rd party vendor's network. The inside has a router the outside does not. The servers on the outside point to the PIX outside interface as their default gateway. In the PIX log, I see DENY logs for their traffic(I will post a log statement) going to anythin considered "outside". But their traffic is fine going from Outside to Inside. I will post a cleaned up(bogus IP's) config. Please help.
Actually, I don't have any log entries at this time but basically the message I got was any ip on the same subnet as the outside int going to any other outside network was denied with (no xlate) after the DENY INBOUND statement in the log entry. IF you need the actual DENY statement from the log, I will try to get it for you.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list no-nat permit ip 10.73.0.0 255.255.0.0 any
access-list no-nat permit ip 10.71.0.0 255.255.0.0 any
access-list no-nat permit ip 10.72.0.0 255.255.0.0 any
access-list no-nat permit ip 10.74.0.0 255.192.0.0 any
access-list no-nat permit ip 10.28.0.0 255.192.0.0 any
access-list blah_in permit icmp 10.71.33.0 255.255.255.0 any
access-list blah_in permit tcp 10.71.33.0 255.255.255.0 any
access-list blah_in permit udp 10.71.33.0 255.255.255.0 any
access-list blah_in permit ip 10.71.33.0 255.255.255.0 any
Re: Problem with Servers using PIX outside INT as DGW
please consider these points:
1. the pix has some router capabilities, but is not a full blown router. The PIX only routes traffic that goes through the PIX (eg from outside to inside). The PIX does not route traffic that arrives at one interface (eg outside) and leaves the PIX on that very same interface.
2. I can see that the outside interface has the address 10.71.33.1. This is also the default interface of the PIX (route outside 0.0.0.0 0.0.0.0 10.71.33.1 1 ). That doesn't make any sense. You should remove that line if possible or specify another default gateway
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :