Routing through PIX
I have a poorly designed network connected to a pix, that connects another network
I am having trouble routing traffic through the pix.
here is the setup
192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)
The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.
the router has a route to the 10.0.0.0 net that is directly conencted.
and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.
What am i missing? i checked access-list still nothing
I am having trouble routing traffic through the pix.
here is the setup
192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)
The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.
the router has a route to the 10.0.0.0 net that is directly conencted.
and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.
What am i missing? i checked access-list still nothing
There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
Comments
-
millworx
Member Posts: 290
I have a poorly designed network connected to a pix, that connects another network
I am having trouble routing traffic through the pix.
here is the setup
192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)
The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.
the router has a route to the 10.0.0.0 net that is directly conencted.
and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.
What am i missing? i checked access-list still nothing
By default pinging from outside to inside is disabled. (actually i think most ICMP is disabled)
You'll need an access list permitting it, and apply it to your interface.access-list 100 permit icmp any host mapped_ip_address echo (echo-reply, etc) access-group 100 in interface outside (inside, dmz, etc.) or you could get dangerous with permit icmp any any echo permit icmp any any echo-reply
I take it from your diagram that the router and connected subnet are on the inside interface of your PIX? If they are on the outside interface you will also need to create a nat rule from outside -> in. Or turn off natting altogether, depending on your application.Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide -
ConstantlyLearning
Member Posts: 445
192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)
The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.
So the traffic is between the 192.168.5.0/24 and 10.0.0.0/16 networks which are seperated by the router. There will be no involvement by the PIX.
I'd start by looking at ACL's on the router.
Can you post the router config?"There are 3 types of people in this world, those who can count and those who can't" -
hasitha257
Member Posts: 25 ■□□□□□□□□□
So I am assuming you have hosts on your FW DMZ ? and who is the default gateway for the hosts, is it the router or the FW?
-
vinbuck
Member Posts: 785 ■■■■□□□□□□
I have a poorly designed network connected to a pix, that connects another network
I am having trouble routing traffic through the pix.
here is the setup
192.168.5.0/24---(Router)---10.0.0.5/16
10.0.0.3/16---(PIX)
The problem is host on the 192.168.5.0 network cannot ping any host on the 10.0.0.0 /16 but they can ping the firewall, anything they cannot reach.
the router has a route to the 10.0.0.0 net that is directly conencted.
and the pix has the following "route inside 192.168.5.0 255.255.255.0 10.0.0.5" telling host on the pix lan where to go.
What am i missing? i checked access-list still nothing
What network is on the outside of the PIX? It seems like your problem is in your router and not the PIX if you're having issues between 192.168.5.0/24 and 10.0.0.0/16 since that device connects those two networks according to your "drawing"Cisco was my first networking love, but my "other" router is a Mikrotik...