topic Re: PIX Firewall configuration in Network Security

PIX Firewall configuration

arumugasamy — Fri, 21 Feb 2020 08:28:57 GMT

Dear All,

I need to have your suggestion on the following issue.

I have pix firewall installed.The inside interface address is 172.16.1.0 /24

This pix inside is connected to the outside interface of ISA server. The ISA inside connected to the router eth0 interface.

172.16.1.1(PIXINSIDE)-172.16.1.5(ISA-OUTSIDE)-172.18.1.5 (ISA-Inside)-172.18.1.1 (router eth0)

The problem is I can ping all the lower interface ip being in 172.16.1.0 network i.e pix inside network, but I can not ping the same lower interfaces from the 172.18.1.0 network which is behind ISA Firewall.Please note that the ISA act as brige all the ports are opened both in & out.

I used NAT (inside 0 0 0 0 0

also NAT (inside) 0 access-list no-nat with

access-list no-nat permit ip 172.18.10 255.255.255.0 any ---> NAT EXEMPTION

nO RESULT

Please reply asasp.

thanks

swamy

Re: PIX Firewall configuration

jackko — Sat, 22 Oct 2005 12:19:16 GMT

you mentioned, "but I can not ping the same lower interfaces from the 172.18.1.0 network". just wondering if you are referring to the subnet that connected to the pix outside interface.

if so, then inbound acl is required for echo response on the pix. the reason being pix by default doesn't perform stateful inspection on icmp.

e.g. one way is to configure inbound acl

access-list 100 permit icmp any any eq echo-reply

access-group 100 in interface outside

Re: PIX Firewall configuration

arumugasamy — Mon, 24 Oct 2005 18:13:46 GMT

Mr.Jackko,

The 172.18.1.0 network is behind ISA server. I can explain that the ISA server is between the PIX firewall and the 172.18.1.0 network. ISA inside NIC connected to the 172.18.1.0 network and the ISA server outsdie NIC connected to the PIX Inside network that is 172.16.1.0. other PIX's interfaces are DMZ1, DMZ2, DMZ3.We can ping all the dmzs from 172.16.1.0 not from 172.18.1.0.

In the pix firewall all high to lower interfaces are configured with identity NAT (NAT 0 )

Please help me

Swamy

Re: PIX Firewall configuration

flopez — Mon, 24 Oct 2005 22:24:44 GMT

I had something like this happen to us. Are you maybe missing a route statement. Even though you may have an access-list, you will still need a route statement.

Re: PIX Firewall configuration

jackko — Tue, 25 Oct 2005 00:41:45 GMT

just wondering if there is a route pointing to isa for the subnet 172.18.1.0 on the pix.

e.g. with the current pix config,

route inside 172.18.1.0 255.255.255.0 172.16.1.5

Re: PIX Firewall configuration

jackko — Thu, 03 Nov 2005 11:19:22 GMT

just wondering how you go.