Ok,

At the moment I dont see a reason for this in the PIX configuration.

Could you make sure that the Filter Device has a route for the network 192.168.1.0/24 pointing towards 192.168.0.2?

This is because when a host from the address for example 192.168.1.100 sends ICMP to 192.168.0.1 there will be NO NAT as we configured. Therefore the Filter Device will need to have a return route for the ICMP traffic

So could you make sure that the Filter Device has a route for 192.168.1.0/24 pointing towards the PIX "outside" interface IP 192.168.0.2

- Jouni

Forgive me for my ignorance, But the filter works fine on its own, meaning if I plug up a workstation to eth1 (192.168.0.1) and give it a static IP it passes throguh traffic and responds to pings.

Okay so basicly I need to ssh into my filter and add a return path to the 192.168.1.x network correct?

What I'm getting at is possible a triangular routing problem

Hi,

If you have a host directly connected to the Filter Device (which to my understanding is your Internet edge device) then there is naturally no problem with the connectivity of the host and the Filter Device as they are connected to the same network 192.168.0.0/24. They both see the network as directly connected so naturally they can communicate.

Now when you have added the PIX to the setup and you have an additional network of 192.168.1.0/24 behind the PIX then naturally the Filter Device needs to have a route for the network 192.168.1.0/24 because otherwise it is just going to forward all traffic towards its default route which I imagine is the default route to the Internet/ISP

So to my understanding if you dont already have a route for the network 192.168.1.0/24 configured on the Filter Device then you have to add that to the device and point that route towards the PIX "outside" interface IP address of 192.168.0.2. Otherwise the traffic simply wont work from the workstation to the Filter Device WHEN the PIX is connected to the network.

- Jouni

Hello Nathan,

Agree with Jouni,

It got to be that the Filter device does not have a route back to you,

If by any chance you do not know how to create a route on that layer 3 device do the following and let us know

nat (inside)  1 0 0

global (outside) 1 interface

With this all traffic being source from the Inside interface when reaching another host on the outside interface it will look like the outside interface IP address, then the filter will be able to route the traffic back as it knows where the outside interface it's ( On one of it's directly connected networks)

Regards

Jcarvaja,

Its actually an old iprism I picked up off ebay for $10 shipped. Its now running linux , therefore the commands are going to be different.

Its actually pretty damn cool :

Mines running Ubuntu server 11.04, using it as an ssh server, web filter, proxy and NAT, but I'm sure you could for other uses as well.

I'llpost back when I get those routes inacted

Hello,

I think you did not understand me

The commands

nat (inside)  1 0 0

global (outside) 1 interface

Got to be set on the PIX ( You would need to remove the NAT 0 for this)

Won't

nat (inside)  1 0 0

global (outside) 1 interface

enable NAT? I don't need it to provide NAT, I have the filter for that.

Hi,

Yes that would enable Dynamic PAT which would basically translate all hosts behind the PIX "inside" interface to the IP address of the "outside" interface. This would mean that you probably wouldnt have to add routes to the Filter Device as connections would be showing from a directly connected network.

But on the other hand it would hide the LAN hosts behind that single IP address and the Filter Device wouldnt see the hosts with their original IP address.

Were you able to add the route to the Filter Device as we discussed before? Or what is the current situation?

- Jouni

Hello Nathan,

Without the NAT you will need the route and as you do not have it now then you must use it