cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
0
Helpful
4
Replies

Routing rules through PIX

stevem
Level 1
Level 1

Any ideas?

A customer of mine has IPX running over private lines to customer sites and we wanted to set up a PIX on our end to have some sort of security in place. We enabled GRE on the outside interface and could pass traffic although very slow. So we took the PIX out of the production network and set up a test network to logg the traffic and see if it was just due to IPX traffic or other issues. Now that we have done this and segmented the internal network to have a test network on the outside of our production network with a PIX interfacing the rest of the internal network.

My problem is that we have one way out to the internet and that has another PIX sitting on it filtering traffic and our test network cannot get out to the web.

My question to anyone is if there is any default security in place that will not allow the test network that has to come in through the test PIX then enter into the production network and out the other PIX to get to the web? Since we cannot get out when the PIX is sitting in between the production and test network and we have the PIX wide open (ACL permit IP any any, GRE any any, and ICMP any any). Once we take that out of the test network can get out to the web through the production PIX so we know that we added the test network properly.

Also, we can ping the rest of the production network from the test network when the test PIX is in place, just can't get out to the web.

So I'm worried that I'm wasting my time with something I cannot "over ride" due to the way the test network traffic has to get to the web.

Test Net--->Test PIX--->Internal LAN---->PIX-->WWW

then back again...

Any insight re this is greatly appreicated...

4 Replies 4

mostiguy
Level 6
Level 6

pix will not allow traffic to leave on an interface it came it on. this could be it

routing, routng, routing; its a two way process! The pix on your internet connection probably doesn't know where the test network is so it doesnt know where to send the returning packets. Add a static route for the test network to the internet pix pointing to the test pix.

Yeah, i will try that.

But I could ping the internet pix from the test network when the test pix was in the mix, I just couldn't get past the int. pix out to the web. I don't think I tried to add anything else than what I put in the int. pix since I could get a response from it.

Which still goes back to my original concern of whether I will not be able to have a "outside" netowrk come in and then out the other firewall and back to get www access? Since I could get an IP route out from the test network once the testpix was taken out of the mix.

so add this:

test pix 172.20.51.2

test network 172.31.199.0

route inside 172.31.199.0 255.255.255.0 172.20.51.2

and see if this takes care of the problem?

It's probably a NAT issue. The Internet Pix may not have a nat entry to allow you test network addresses to hit a NAT pool. If this is the case, you can use NAT on the test pix to nat all test network traffic to the outside interface of the test Pix, or you can add a nat statement for the test network addresses.

If you NAT the test network to the outside interface of the test Pix, then routing will no longer be an issue for you either. That is assuming you can ping the inside of the Internet pix from the outside interface of the test pix.

Review Cisco Networking for a $25 gift card