PIX 501 blocking subnet access

pschneider · ‎05-28-2005

Scenario: Local lan 10.1.1.0 with subnets 10.1.2.0 and 10.1.3.0 (those two are voip system). Also, internal router (2511) for 10.2.4.0 (remote office runs our apps and we run theirs). But we get our web access from our default gateway: the pix 501.

I can ping the other subnets but cannot access any applications on them. The pix is our default gateway; if we change that to the 2511 router as gateway, we can access the apps on 10.2.4.0 but can't get web access on the pix or voip applications.

I do not run rip or ospf on the pix 501. Would rip fix this problem? If yes, should I run ver 1 or 2 or passive? I have the pix connected to a 1720 which is our isp's router to the outside.

My old firewall had a router built in and it was running rip. Never had problems with it.

I would guess the pix has to learn routes and advertise as well. Not an expert on that; any help greatly appreciated as I am ready to toss the pix. I love its vpn tho.

a.alekseev · ‎05-28-2005

The pix and the router are located on the same subnet, the pix is default gateway. The PIX pix could not send a packet comming from inside back to inside. PIX is not a router.

so the workaround is

create a secondary ip address on the router

change the inside ip address on the pix, so the secondary ip address on the route and new inside ip address on the pix will be located in the same subnet.

On your PC set primary ip address of the router as a default gateway

pschneider · ‎05-29-2005

Thank you for the workaround. So, rip can't turn the pix into a router even in this case. That was the answer I needed.

the pix and the router are on the same subnet now. If we change the default gateway to the router, the apps on the remote subnet work but we internally cannot access the web because we get the web from the pix gateway, not the remote office. We have our own isp to which the pix is connected.