topic Re: PIX v6.3 issue in Network Security

PIX v6.3 issue

youssef_1985 — Mon, 11 Mar 2019 13:56:23 GMT

hi,

my router connect in inside I have other subnet to reach Behind my Router (add 172.20.1.250) and i can ping to any subnet in outside

but not Behind my router but if i ping from my PIX it's Successful toward all subnet

I am connected in inside and my GW is 172.20.1.10

this is my config.

Re: PIX v6.3 issue

andrew.prince — Mon, 13 Oct 2008 06:55:08 GMT

Are you trying to ping from the "outside" to the "inside" ??

if so - you do not have any static nat translations for 172.20.1.250.

HTH>

Re: PIX v6.3 issue

youssef_1985 — Tue, 14 Oct 2008 08:37:36 GMT

i don't need ping from outside to inside

my objectify is:

from my PC (172.20.1.25 gw PIX) ping subnets behind my router(172.20.1.250)

test from my PC:

ping subnets outside--->OK

ping gw PIX ------->OK

ping gw Router---->OK

ping subnet behind Router----->NOK "problem"

Re: PIX v6.3 issue

andrew.prince — Tue, 14 Oct 2008 08:52:50 GMT

Firstly you design is wrong, it is possible to do what you want using the PIX, but you will have to upgrade and do some complicated config.

1) You should not have a DG of the PIX if you have a layer 3 routing device in your network.

I suggest you do the following:-

Change the DG of your PC to 172.20.1.250.

In the router add a static route:-

ip route 192.168.1.0 255.255.255.0 172.20.1.10

This will fix your issues.

HTH>

Re: PIX v6.3 issue

youssef_1985 — Tue, 14 Oct 2008 09:17:21 GMT

thanks for your help,

but why should not have a DG of the PIX if you have a layer 3 routing device in your network?

I already test your suggest it's working fine.

yhanks

Re: PIX v6.3 issue

andrew.prince — Tue, 14 Oct 2008 09:32:52 GMT

Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.

A router is a layer 3 IP routing device, design for routing IP subnet works.

If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,

besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-

static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

the above would:-

1) Not nat any traffic from 172.20.1.0 to 172.20.1.0

2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.

As you can see - the above is exactly 100% what a router does..... do you understand?

HTH>

Re: PIX v6.3 issue

youssef_1985 — Tue, 14 Oct 2008 09:42:54 GMT

yes thank you very much.

Re: PIX v6.3 issue

andrew.prince — Tue, 14 Oct 2008 09:44:23 GMT

np - glad to help.

Re: PIX v6.3 issue

youssef_1985 — Tue, 14 Oct 2008 10:44:51 GMT

*Allow traffic recevied on the inside interface to be transmitted back out of the inside interface

why CMD i need to use for this?"access-list"

Re: PIX v6.3 issue

andrew.prince — Tue, 14 Oct 2008 11:11:54 GMT

same-security-traffic permit intra-interface - is the command you need.

BUT as I have previsouly posted - you NEED to upgrade to either 7.x or 8.x of IOS.

HTH>