Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
4
Replies

PIX rules between interfaces

albertobrivio
Level 1
Level 1

‎02-03-2006 03:01 AM - edited ‎02-21-2020 12:41 AM

Dear ALL,

I need your comments about topic I'm going to explain (ping between hosts belonging different interfaces):

pix 6.3

route 0.0.0.0 0.0.0.0 192.168.104.201 (router)

outside is 192.168.104.200 255.255.255.0

host into outside is 192.168.104.20 (default gateway is the router 192.168.104.201)

inside is 192.168.100.1 255.255.255.0

host into inside is 192.168.100.2 (default gateway is inside)

access-lists permitting icmp, ip on inside (outgoing) and outside (incoming)

1st case

========

static (inside,outside) 192.168.104.10 192.168.100.2 netmask 255.255.255.0

I can't ping outside host from inside host, and we know, this is a basic rule, but I can ping 192.168.104.201,

the router. How is it possible? Router's address is in the same outside subnet !!

2nd case

========

static (inside,outside) 192.168.100.2 192.168.100.2 netmask 255.255.255.0

Now, I can ping from inside host vs outside host.

3rd case

========

nat (inside) 1 0 0

global (outside) 1 interface

Now, I can ping from inside host vs outside host.

4th case

========

nat (inside) 1 0 0

global (outside) 1 192.168.104.40

I can't ping outside host from inside host

Well, what are PIX basic rules that specify this behaviour ?

Regards

Alberto Brivio

0 Helpful
4 Replies 4

mpalardy
Level 3
Level 3

‎02-03-2006 06:15 AM

Hi Alberto,

Check the host mask for all your statics

static (inside,outside) 192.168.100.XX 192.168.100.XX netmask 255.255.255.0

Netmask should be 255.255.255.255

Mike

0 Helpful

albertobrivio
Level 1
Level 1
In response to mpalardy

‎02-03-2006 06:33 AM

Hi Mike,

Sorry for mistake, I wrote wrong in the message but the right netmask was applied in the pix.

Thanks

Alberto

0 Helpful

albertobrivio
Level 1
Level 1
In response to albertobrivio

‎02-03-2006 08:56 AM

Dear All,

during many others tests I found parameter responsible for behavior described above: enabling proxyarp outside I can ping a machine in the outside zone from a machine in the inside zone.

But I wonder this happen, the pix shouldn'tbe able to reach a machine belonging to the same class ?

Alberto

0 Helpful

mpalardy
Level 3
Level 3
In response to albertobrivio

‎02-03-2006 11:43 AM

Hi Alberto,

Yes, the pix is able to reach same class of address if the subnet masks are configured to do this. It depends on the way static and nat are configured. Until PIXOS 7.0, the pix does not route packet arriving and destinated to the same interface.

Just take a look and try a "show arp" command on the pix and the router.

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card