Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
2
Replies

pix connected to internet and intranet routers

admin_2
Level 3
Level 3

‎10-27-2002 07:49 AM - edited ‎02-20-2020 10:20 PM

I have a pix 515 with 3 interfaces inside, outside and intf2. My goal is to allow my internal network to access both Intranet and Internet web sites in a secure way.

inside (ethernet 1) is directly connected to the internal network where all hostsreside:

ip 172.16.0.1/24 (this is hosts' default gateway)

ASA=100

outside (ethernet 0) is directly connected to the internet router

ip 10.0.0.2/24

ASA=0

intf2 (ethernet 2) is directly connected to the intranet router

ip 10.23.214.20

ASA=10

Both intranet and internet routers are configured with only one static default route (no routing protocols). Mine is a stub network.

The pix has a default route to the internet router (route outside 0.0.0.0 0.0.0.0 10.0.0.1) and a couple of static routes to the intranet router (route intf2 10.22.0.0/16 and 10.23.0.0/16 which cover all the intranet)

NAT

nat (inside) 1 0 0

global (outside) 10.0.0.254 255.255.255.0

global (intf2) 10.23.214.202

Clients on the internal network can access Internet web sites but not intranet.

If i ping 10.22.x.x and 10.23.0.0 from pix console i get responses, if i try to ping the same networks from host on the internal network i do not receive any response.

It seems like the pix can get intranet sites but doesn't allow clients to send and receive packets to the same sites.

Please can anyone help me?

Thank You very much

0 Helpful
2 Replies 2

steve.barlow
Level 7
Level 7

‎10-27-2002 11:56 AM

Is your set-up:

nat (inside) 1 0 0

global (outside) 1 10.0.0.254

global (intf2) 1 10.23.214.202

access-list 101 permit icmp 10.23.0.0 255.255.0.0 host 10.23.214.202 echo-reply

access-list 101 permit icmp 10.22.0.0 255.255.0.0 host 10.23.214.202 echo-reply

access-group 101 in interface intf2

Any other acls (on intf2 or inside) that could block it?

Do a "debug icmp trace " when you ping from the inside, what do you see? Does your show log/syslog server show anything getting blocked?

Show xlate and show conn (eg show conn local/for x.x.x.x) are also good troubleshooting commands.

Hope it helps.

Steve

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to steve.barlow

‎10-27-2002 07:57 PM

What's this statement trying to do:

global (outside) 10.0.0.254 255.255.255.0

Get rid of the mask cause it may be confusing the PIX. Do you have any ACL's applied on the inside interface? Do you see anything in the syslog when you try and browse from the inside to intf2?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card