10-11-2008 04:00 AM - edited 03-11-2019 06:56 AM
hi,
my router connect in inside I have other subnet to reach Behind my Router (add 172.20.1.250) and i can ping to any subnet in outside
but not Behind my router but if i ping from my PIX it's Successful toward all subnet
I am connected in inside and my GW is 172.20.1.10
this is my config.
Solved! Go to Solution.
10-14-2008 02:32 AM
Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.
A router is a layer 3 IP routing device, design for routing IP subnet works.
If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,
besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-
static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0
same-security-traffic permit intra-interface
the above would:-
1) Not nat any traffic from 172.20.1.0 to 172.20.1.0
2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.
As you can see - the above is exactly 100% what a router does..... do you understand?
HTH>
10-12-2008 11:55 PM
Are you trying to ping from the "outside" to the "inside" ??
if so - you do not have any static nat translations for 172.20.1.250.
HTH>
10-14-2008 01:37 AM
i don't need ping from outside to inside
my objectify is:
from my PC (172.20.1.25 gw PIX) ping subnets behind my router(172.20.1.250)
test from my PC:
ping subnets outside--->OK
ping gw PIX ------->OK
ping gw Router---->OK
ping subnet behind Router----->NOK "problem"
10-14-2008 01:52 AM
Firstly you design is wrong, it is possible to do what you want using the PIX, but you will have to upgrade and do some complicated config.
1) You should not have a DG of the PIX if you have a layer 3 routing device in your network.
I suggest you do the following:-
Change the DG of your PC to 172.20.1.250.
In the router add a static route:-
ip route 192.168.1.0 255.255.255.0 172.20.1.10
This will fix your issues.
HTH>
10-14-2008 02:17 AM
thanks for your help,
but why should not have a DG of the PIX if you have a layer 3 routing device in your network?
I already test your suggest it's working fine.
yhanks
10-14-2008 02:32 AM
Honestly - it's a bad use of networking devices. The PIX is a "Firewall" to protect and give access between a trusted an un-trusted networks.
A router is a layer 3 IP routing device, design for routing IP subnet works.
If you have both devices available - then the router should be a router, the firewall should be a firewall. Only in cases where you only have one should you really make the devices duel purpose,
besides, your PIX was running 6.3 code - you would need to upgrade to 7.x or 8.x to do what you wanted to do, which would have been:-
static (inside,inside) 172.20.1.0 172.20.1.0 netmask 255.255.255.0
same-security-traffic permit intra-interface
the above would:-
1) Not nat any traffic from 172.20.1.0 to 172.20.1.0
2) Allow traffic recevied on the inside interface to be transmitted back out of the inside interface.
As you can see - the above is exactly 100% what a router does..... do you understand?
HTH>
10-14-2008 02:42 AM
yes thank you very much.
10-14-2008 02:44 AM
np - glad to help.
10-14-2008 03:44 AM
hi
*Allow traffic recevied on the inside interface to be transmitted back out of the inside interface
why CMD i need to use for this?"access-list"
10-14-2008 04:11 AM
same-security-traffic permit intra-interface - is the command you need.
BUT as I have previsouly posted - you NEED to upgrade to either 7.x or 8.x of IOS.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide