Re: Redirection of Traffic

refram · ‎06-26-2005

I have a PIX 501 that I put in place at a client's office. They already have a 2501 router that connects through dedicated lines to two different branches of their business. The IP of the PIX is 192.168.0.100. The network of the local LAN is 192.168.0.0/24, the remote LAN's are 192.168.1.0/24 and 192.168.2.0/24. Everyone in the local office uses the IP of the firewall as the gateway to the internet.

I need to have local traffic stay on the local network, internet traffic must go through the PIX to the outside world, and traffic going to the 2 remote networks must go through the router at 192.168.0.101.

The lines that I think are the important configurations are:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside dhcpd

ip address inside 192.168.0.100 255.255.255.0

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 <IP address of next hop router at ISP> 1

route inside 192.168.1.0 255.255.255.0 192.168.0.101 1

route inside 192.168.2.0 255.255.255.0 192.168.0.101 1

With this I can hit the internet from my workstations, but I can't hit the two remote networks. I can, however, ping the two remote networks from the PIX.

Thanks for any help,

Paul

froggy3132000 · ‎06-26-2005

The easiest thing to do is turn on logging and see what is being denied.

logging on

logging timestamp

logging console debugging

Then make changes accordingly.

pcarvill · ‎06-27-2005

The pix will not redirect traffic back through the interface where it was received as it is not a router. Better to use 192.168.0.101 as the default gateway and have a 0.0.0.0/0 pointing to the firewall for internet connectivity + seperate routes to the other offices if not using a dynamic routing protocol.

You can remove the two 192 addresses on your firewall if these offices are not browsing internet through this gateway.