PIX and routing problem

somudrodev · ‎12-25-2003

Hi,

I am faceing some problem in with my PIX firewall. Here is my network

design

+---------------+

|192.168.10.1/24|

|Pix F/W |

|10.10.2.230/24 |

+---------------+

|

|----------------------|---------------|

Host A Host B Host C

10.10.2.210/24 10.10.2.208/24 10.10.2.209/24

g/w 10.10.2.230 g/w 10.10.2.230 g/w 10.10.2.1

|

+--------------+

|10.10.2.1/24 |

|3640 router |

|192.168.3.1/24|

+--------------+

|

Host D

192.168.3.101

Host A and B is statically mapped in Pix.

Host D can Ping 10.10.2.1, 10.10.2.230 and 10.10.209, but it cannot

ping Host A or Host B. When it try to ping Host A or Host B, I am

getting following error in my syslog server.

<163>%PIX-3-106011: Deny inbound (No xlate) icmp src

inside:10.10.2.201 dst inside:192.168.3.101 (type 0, code 0)

So far i understand that, as PIX is pointed as g/w for Host A and B,

when it receive and request for these two hosts it is trying to send

that request to outside (192.168.10.x) as these two hosts are

statically mapped in PIX.

Here is the route I put in Pix

route inside 192.168.3.0 255.255.255.0 10.10.2.1

Now How can I tell my PIX to route 192.168.3.0 kinda request to send

back to 10.10.2.1??

~M$

nihal.akbulut · ‎12-26-2003

Hi,

can you send your config of pix, especially your access-lists, access-groups, or conduits?

a.lysyuk · ‎12-26-2003

There is a limitation on PIX which prevents him from routing packet out the same interface the packet has come in. As far as the main task of PIX is to filter IP traffic based on a certain set of rules, there is a reason of such PIX behavior.