cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
0
Helpful
4
Replies

Can't get through PIX firewall

w.johnson
Level 1
Level 1

Hello all,

I am using a PIX 515E with two interfaces and can't get out from the inside to the outside interface. I don't need or want NAT.

The network is configured as follows...

router <---> pix <----> switch

Without the PIX the router's address is 192.168.1.1 and everything works great. After inserting the PIX I changed the router's address to 192.168.2.1 255.255.255.0.

The PIX is configured as follows.

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

I also created and applied an access-list to the outside and inside interface that allows icmp packets.

When I telnet into the PIX from the inside network I can ping the inside network but can't ping the router. From the inside network I can ping the inside interface but not the outside interface.

Can anyone tell me what I have missed or am doing wrong?

Thanks in Advance

Warren Johnson

4 Replies 4

bosoro
Cisco Employee
Cisco Employee

Warren,

I have a few suggestions.

1st, I would get rid of your NAT 0 configuration. NAT0 is *always* a bad idea, unless you are by-passing nat for a VPN tunnel.

If you don't want a network to be translated, I would highly advise that you static the network to itself,

i.e. static (inside,outside) 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

2nd, the router probably needs to have it's arp-cache cleared with the command "clear arp"

I would issue that command on the Router as well as the PIX.

3rd, Have you verified that there is a route on your router pointing to the 192.168.1.0/24 network? Make sure that it is reachable via the PIX on the router..

i.e

ip route 192.168.1.0 255.255.255.0 192.168.2.2

Hope that helps

-Bryan

Bryan,

Thanks, I haven't tried your suggestions yet, but I'm sure the 3rd suggestion is one of the problems. I forgot to add the route back after changing the IP address on the router.

Thanks again.

Warren

Warren,

Anytime. I hope it works out for you

-Bryan

Bryan,

I have a few more questions :-).

1. You seem to know what your talking about when you say not to use NAT 0, but I was wondering if you could enlighten me as to the reasons for that.

2. By not using NAT on the PIX does the PIX then become a transparent device as far as routing goes. Will any routes or tunnels that I have setup on the router still work?

Thanks again for your help.

Warren

Review Cisco Networking for a $25 gift card