Some clients are on 192.168.5.0 and some are 192.168.10.0.

All clients can reach all the possible networks (also internet) and can ping.

Only from PIX Firewall I cannot ping the network 192.168.10.0.

I have also tried the following:

route inside 192.168.10.0 255.255.255.0

that didn't work.

!!!I wrote by mistake that I cannot ping network 192.168.5.0 from PIX. That works...Sorry!!!

Thanks for your reply.

Now I'm confused....could you post a "show route" on the pix?

Here it is:

outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.254 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static

Hi

Your route to the 192.168.10.0 network is pointing to the same gateway as your route to the 192.168.5.0 network.

This is the problem. 192.168.5.254 is the inside interface of your pix. So your routing table says to get to 192.168.10.0 go to the inside interface of the pix which is clearly wrong.

You have 2 subnets in your network

192.168.5.0

192.168.10.0

Do you have a router internally that routes between these subnets. if you do, then you need to do as Adam has suggested and point a route to the 192.168.10.0 network to go via your internal router eg.

say your internal router interface had an ip address of 192.168.5.253. On the pix

route inside 192.168.10.0 255.255.255.0 192.168.5.253

If you don't have an internal router then how are your running two separate subnets internally ?

Hope this makes sense

Jon

Thank u Jon, That makes sense.

I have a Window 2003 Server configured as RRAS.

W2K3 have 2 interfaces:

Interface1 :192.168.5.200/24

Interface2 :192.168.10.200/24

from the Clients I have no problem.

Host 192.168.10.40 can ping 192.168.5.254(router inside)

new sh route:

outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.200 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static

Still cannot access or ping 192.168.10.0 network from PIX

(config)# ping 192.168.10.200

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms

AqidosPix(config)# ping 192.168.5.200

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

Hi

I'm not familiar with RRAS but do you have IP routing functionality turned on on the W2K3 server.

one thing you can try which might help narrow down where the issue is, on the pix

debug packet inside dst 192.168.10.200

debug packet inside src 192.168.10.200

This should show you how far the pings are getting ie. are they just leaving the pix or are you seeing packets coming back.

Can you try pinging a host beyond the 192.168.10.200 interface - ie any other host on the 192.168.10.x subnet.

Jon

I coud not ping a host too, but host can ping router interface.

I think the packets are just leaving

here is the ping info:

-------- PACKET ---------

-- IP --

192.168.5.254 ==> 192.168.10.200

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5201 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd7a8

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d

--------- END OF PACKET ---------

192.168.10.200 NO response received -- 1000ms

--------- PACKET ---------

-- IP --

192.168.5.254 ==> 192.168.10.38

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5211 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd83a

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d

--------- END OF PACKET ---------

192.168.10.38 NO response received -- 1000ms

Routing is obviously working as you can get to the internet from the 10 network. Are you sure these hosts are pingable, can you ping them from the same network?

Yup,

Host are pingable.

Example

HostA can ping HostB on 192.168.10.0 network

Server can ping Hosts on 192.168.10.0 network

Hosts can ping both interfaces of PIX

PIX can ping nur Hosts on 192.168.5.0 network

but cannot ping 192.168.10.0 network including 192.168.10.200(RRAS server)

Also Server can ping both networks.

Network

=======

PIX(5.254)----(5.200)RRAS Server 2003(10.200)----(10.38)HostA----(10.40)HostB

|

HostC(5.10)

What is HostC connecting to in your diagram?

just for test purposes...

Hi

Okay this is getting very confusing :-).

Basically a ping from a client on 192.168.10.x will get a reply from the pix inside interface but the if the ping is initiated from the pix it doesn't work.

Do you have type of firewall on your 192.168.10.x clients that could be stopping this. unlikely as the pix can ping the 192.168.5.x addresses.

Only other thing i can think of at the moment is are there any settings in the RRAS configuration that would be stopping this.

What happens when you try and ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network ?

Jon

It's very strange i know.

ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network NOT WORKING!!!

ping from a client in the 192.168.10.x network to a client in the 192.168.5.x network WORKING (also can access resources ie:shared folders on 5.x client)

somehow routing or pinging works one-way

I'll stop all firewall, antivirus activities.