Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
2
Replies

PIX with two internal networks

erikhmeier
Level 1
Level 1

‎06-23-2003 02:38 PM - edited ‎02-20-2020 10:48 PM

Hi,

here's my setup:

Internet

|

T1

|

Cisco 1721

a.b.c.2

|

|

a.b.c.1

Cisco PIX 501

192.168.0.1/24

|

|

|

|

192.168.0.200/24

Netopia

|

ISDN

|

Netopia

192.168.2.200/24

For some reason, I can't reach the 192.168.2.0 subnet from a client PC. I have added a static route to the PIX (route inside 192.168.2.0 255.255.255.0 192.168.0.200 255.255.255.0 1) which will allow me to ping the remote network from the PIX, but not from my network. I seem to be missing something. This setup works fine with another NAT box in place of the PIX, so the netopias are configured fine.

Anyone with any insights, my config follows:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname rtpdpix

domain-name rtpd.local

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any any eq 9054

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside a.b.c.1 255.255.255.240

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.33 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 9054 192.168.0.33 9054 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 a.b.c.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server a.b.c.d source outside

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

: end

0 Helpful
2 Replies 2

mike-greene
Level 4
Level 4

‎06-23-2003 06:18 PM

Hi,

This is because you have your PIX as the default gateway for the 192.168.0.x subnet. The PIX cannot receive a packet on an interface and then send it back out that same interface. Your going to need to make your default gateway the Netopia for the 192.168.0.x subnet and then configure the routing on it.

Hope that helps..

0 Helpful

erikhmeier
Level 1
Level 1
In response to mike-greene

‎06-24-2003 06:46 AM

>> The PIX cannot receive a packet on an interface and then send it back out that same interface

after posting i did read a bit on the PIX and came to that conclusion, as it doesn't send icmp redirects back to the client, but I hadn't thought of using the netopia as the default gateway, i was prepared to return the pix and get an ethernet to ethernet router, as the only solution I could think of was to add static routes to all the client pc's (a big pain, and inelegant)

thanks for the suggestion.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card