10-22-2005 12:08 AM - edited 02-21-2020 12:28 AM
Dear All,
I need to have your suggestion on the following issue.
I have pix firewall installed.The inside interface address is 172.16.1.0 /24
This pix inside is connected to the outside interface of ISA server. The ISA inside connected to the router eth0 interface.
172.16.1.1(PIXINSIDE)-172.16.1.5(ISA-OUTSIDE)-172.18.1.5 (ISA-Inside)-172.18.1.1 (router eth0)
The problem is I can ping all the lower interface ip being in 172.16.1.0 network i.e pix inside network, but I can not ping the same lower interfaces from the 172.18.1.0 network which is behind ISA Firewall.Please note that the ISA act as brige all the ports are opened both in & out.
I used NAT (inside 0 0 0 0 0
also NAT (inside) 0 access-list no-nat with
access-list no-nat permit ip 172.18.10 255.255.255.0 any ---> NAT EXEMPTION
nO RESULT
Please reply asasp.
thanks
swamy
10-22-2005 05:19 AM
you mentioned, "but I can not ping the same lower interfaces from the 172.18.1.0 network". just wondering if you are referring to the subnet that connected to the pix outside interface.
if so, then inbound acl is required for echo response on the pix. the reason being pix by default doesn't perform stateful inspection on icmp.
e.g. one way is to configure inbound acl
access-list 100 permit icmp any any eq echo-reply
access-group 100 in interface outside
10-24-2005 11:13 AM
Mr.Jackko,
The 172.18.1.0 network is behind ISA server. I can explain that the ISA server is between the PIX firewall and the 172.18.1.0 network. ISA inside NIC connected to the 172.18.1.0 network and the ISA server outsdie NIC connected to the PIX Inside network that is 172.16.1.0. other PIX's interfaces are DMZ1, DMZ2, DMZ3.We can ping all the dmzs from 172.16.1.0 not from 172.18.1.0.
In the pix firewall all high to lower interfaces are configured with identity NAT (NAT 0 )
Please help me
Swamy
10-24-2005 05:41 PM
just wondering if there is a route pointing to isa for the subnet 172.18.1.0 on the pix.
e.g. with the current pix config,
route inside 172.18.1.0 255.255.255.0 172.16.1.5
10-24-2005 03:24 PM
I had something like this happen to us. Are you maybe missing a route statement. Even though you may have an access-list, you will still need a route statement.
11-03-2005 03:19 AM
just wondering how you go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide