Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
3
Replies

PIX FIREWALL PROBLEM

gurpur_2000
Level 1
Level 1

‎10-22-2002 09:42 AM - edited ‎02-20-2020 10:19 PM

I recently installed a PIX firewall with three interfaces and NAT . The network layout is like as follows :

The network behind internal interface has a 4700 router with multiple WAN ports and LAN ports. From this router there are three more networks. i.e.

The internal interface is on the network 166.107.220.0 with a subnet mask of 255.255.254.0. The 4700 ethernet port has ip 166.107.220.1. The internal interface ip is 166.107.220.3.

The 4700 router caters to following network using its WAN ports :

166.107.222.0/24 ; 166.107.19.0/24;

The external interface ip is 166.107.250.226/27. This is connected to a router with ethernet ip 166.107.250.225/27. This router connectes the LAN to the outside world.

After configuring the PIX and the routers, The users on the network 166.107.220.0 are able to access the internet etc. etc.. But the users on 166.107.222.0 and 166.107.19.0 are not.

Please help to resolv this issue.

thanks

srin

0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎10-22-2002 10:47 AM

Does the PIX have a route to those 2 internal networks (can the PIX ping those subnets)?

Are those 2 networks part of the nat command (eg nat (inside) 1 0 0)?

Any access-list?

Hope it helps

Steve

0 Helpful

gurpur_2000
Level 1
Level 1
In response to steve.barlow

‎10-23-2002 10:41 AM

Hi

Yes the PIX has route to these 2 internal networks with route (inside) command pointing to router interface connected to the inside interface of the PIX i.e

the inside interface is 166.107.220.3 . The router on this network is 166.107.220.1. One of the test node on those network i.e 166.107.222.4 can ping to 166.107.220.3. But it cannot ping outside interface on PIX. The nodes on 166.107.220.0 network can ping to outside of the PIX.

The NAT command is NAT (inside) 1 0 0 and is assumed that all the networks beyond 166.107.220.0 network , is taken care with this command.

The accesslist are applied to allow any any for tcp and icmp.

0 Helpful

steve.barlow
Level 7
Level 7
In response to gurpur_2000

‎10-23-2002 12:58 PM

Your 166.107.220.0 inside hosts also can't ping the outside interface of the PIX, can they?

Small chance here but are you using NAT or PAT? If NAT, do you have enough addresses?

What does the show log or syslog show when those 2 networks try to go outside?

DNS setup for those networks (nslookups work?)?

Can you post the config minus passwords?

Steve

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card