hello, thanks for the reply.

I tried but didn't solved, the clients on the inside (10.98.98.x) doens't ping the outside lan (10.0.0.x). Any tip? what I'm doing wrong with this configuration?

Are you sure that the outside and inside clients have the right network?

The inside clients must have 10.98.98.254 and the outside clients needs the

10.0.0.35 as standard gateway.

I've tried to set the gateway on 10.0.0 clients as you suggeested; but didn't solved. On the 10.98.98 the gateway was already configured.

Of course indipendely from the gateway setting all the client on 10.98.98.x can ping 10.98.98.254 and all the client on 10.0.0.x can ping 10.0.0.35.

From the pix console I can ping correctly all the clients attached on both lans, so for me there arn't network problems, seems that simply the pix routing doens't work for some reason...

Morning,

i think i see your problem. You must define a static to translate the internal network to external.

Please configure the following:

static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0

Kind regards.

hello,

excuse me if this time I was a little slow to try and then answer.

I tried adding to the pix configuration the command that you suggested but nothing changes; routing doesn't work...

Please send me the complete configuration with a pic of the network.

: Saved

:

PIX Version 6.3(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname internetfree

names

access-list acl_in permit icmp any any

access-list acl_out permit icmp any any

no pager

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.35 255.255.255.0

ip address inside 10.98.98.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 10.98.98.0 255.255.255.0 0 0

static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0 0 0

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:c71c5b985c3fd41fd7d036e32ef9ee97

: end : Saved:

the network scheme is attached into my first post but actually since I wasn't able to get it work I'm just using the pix, one pc connected into inside and another pc connected into outside; anyway the scheme and the ip are still valid.

Ok, bound the outside access-list to the outside interface and you receive the icmp echo-reply.

access-group acl_out in interface outside

If you activate logging you will see denied icmp echo-reply packets against the outside interface.

with this the routing now works! thank you.

I have only another big problem, the routing works only if the pc have the pix as gateway; but in the final scenario I need to place an internet router on the 10.0.0.x side; so this router cannot have the pix as gateway.

I think this problem would be simple to solve if, from the internet router, I would be able to set a static route but I want to do this only if is necessary. There is a way to bypass the problem via pix?

Ok, you need only access from the internal network 10.98.98.0/24 to the internet and the internet router???

The secure way is -> enable nat.

Take the following to do this:

no nat (inside) 0 10.98.98.0 255.255.255.0 0 0

no static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0 0 0

nat (inside) 1 10.98.98.0 255.255.255.0

global (outside) 1 interface

With this setup you don't need a static route at the internet router side. All clients in the network 10.98.98.0/24 are translated to the external ip address of the pix.

thank you very much; now also this problem is solved.

I have only another question for you, I downloded the pix manual but all the step by step examples are incomplete and unuseful for unskilled user. How can I enable and view logs to see if some rules are blocking some traffic? For example the ping works perfectly but I cannot surf the web now and I think that the pix is blocking something (the port 80 for sure). If I will be able to check logs I think that I will be able to solve all the problems by myself... thank you again.