Routing through PIX

kenny504 · March 2011

I have a poorly designed network connected to a pix, that connects another network

I am having trouble routing traffic through the pix.

here is the setup

192.168.5.0/24---(Router)---10.0.0.5/16

10.0.0.3/16---(PIX)

The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.

the router has a route to the 10.0.0.0 net that is directly conencted.

and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.

What am i missing? i checked access-list still nothing

millworx · March 2011

kenny504 wrote: »

I have a poorly designed network connected to a pix, that connects another network

I am having trouble routing traffic through the pix.

here is the setup

192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)

The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.

the router has a route to the 10.0.0.0 net that is directly conencted.

and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.

What am i missing? i checked access-list still nothing

By default pinging from outside to inside is disabled. (actually i think most ICMP is disabled)

You'll need an access list permitting it, and apply it to your interface.

access-list 100 permit icmp any host mapped_ip_address echo (echo-reply,
etc)
access-group 100 in interface outside (inside, dmz, etc.)
 
or you could get dangerous with
 
permit icmp any any echo
permit icmp any any echo-reply

I take it from your diagram that the router and connected subnet are on the inside interface of your PIX? If they are on the outside interface you will also need to create a nat rule from outside -> in. Or turn off natting altogether, depending on your application.

ConstantlyLearning · March 2011

kenny504 wrote: »

192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)

The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.

So the traffic is between the 192.168.5.0/24 and 10.0.0.0/16 networks which are seperated by the router. There will be no involvement by the PIX.

I'd start by looking at ACL's on the router.

Can you post the router config?

hasitha257 · March 2011

So I am assuming you have hosts on your FW DMZ ? and who is the default gateway for the hosts, is it the router or the FW?

vinbuck · March 2011

kenny504 wrote: »

I have a poorly designed network connected to a pix, that connects another network

I am having trouble routing traffic through the pix.

here is the setup

192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)

The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.

the router has a route to the 10.0.0.0 net that is directly conencted.

and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.

What am i missing? i checked access-list still nothing

What network is on the outside of the PIX? It seems like your problem is in your router and not the PIX if you're having issues between 192.168.5.0/24 and 10.0.0.0/16 since that device connects those two networks according to your "drawing"

Routing through PIX

Comments