ASA is on 8.2(5) and the PIX is on 7.0(6)

Yes, 10.50.2.x exists on the ASA and 12.x.x.128 exists on the PIX. I know there is a combination of ACL and possibly NATs I just haven't nailed the right one. Interface dmz cannont ping 10.10.10.2 on the ASA yet I can ping 10.10.10.2 from the PIX if I don't specify an interface. I put a route on the PIX sending any request for the 10.50.2.x network to 10.10.10.2 because that should be it's next hop unknown to the PIX for that network I would think.

Note - before making any changes you need to check existing config to make sure you are not overriding anything else.

ASA

====

static (inside,dmz1) tcp 10.50.2.32 8888 10.50.2.32 8888

static (inside,dmz1) tcp 10.50.2.33 1560 10.50.2.33 1560

if there is no route for the pix 12.x.x.x network you will need one ie.

route (dmz1) 12.x.x.0 10.10.10.1

you will also need an acl entry allowing the traffci eg.

access-list dmz1 in permit tcp host 12.x.x.134 host 10.50.2.32 eq 8888

access-list dmz1 in permit tcp host 12.x.x.134 host 10.50.2.33 eq 1560

if there is already an acl on the dmz1 interface applied inbound obviously add to that rather than create a new one.

Pix

===

The security levels on dmz and dmz2 are the same so traffic should flow freely but this is dependant on whether or not you have "same-security-traffic permit inter-interface enabled" in the config of the pix. If yo do you do not need acls or NAT but you may want to control traffic between those interfaces o you may be using nat and or acls.

So it's a question. I'm not suggesting you enable or disable it without further info because obviously this could have  big impact on other traffic.

Jon

I had everything in there except for the NAT statements.

The "same-security-traffic permit inter-interface" is in the PIX so I'm not going to touch that. I just inherited all these networks months ago so just wrapping my head around everything at the moment. I attempted a route statement like you suggested on the ASA for 12.x.x.0 access and it broke things last time. Currently as far as I can tell traffic to that network is covered by the default and taken care of by one of the routers.

I have an ACL applied to interface dmz1 like this: access-group DMZ2IN in interface dmz1

Just go word they are still blocked.

I attempted a route statement like you suggested on the ASA for 12.x.x.0 access and it broke things last time. Currently as far as I can tell traffic to that network is covered by the default and taken care of by one of the routers.

If that's the case then what i gave you won't work. If the pix sends traffic to the ASA direct for 10.50.2.x but the return traffic goes via another interface on the ASA and enters a different interface on the pix then we need to trace the full path. So if you cannot add a route to the ASA for 12.x.x.x via the pix then we need the pix to send traffic for 10.50.2.x via a different path ie. via the router the ASA uses.

So can you trace the full path for me ie. ASA 10.5.2.x to pix 12.x.x.x and then we can go from there. Note that the pix will have to send traffic back the same path so it arrives on the correct ASA interface so that route on the pix will need removing. The acl entries and NAT entries i gave will also need removing as they are  not doing anything.

Jon

Yes, sorry I didn't mention the route before. When I started trying to get this working for the site I thought the way things are routing currently would cause problems.

So tracing from the 10.50.2.x network it leaves the ASA outside interface, to the Internet, then comes in the PIX outside interface.

Didn't mean to hit the correct button.

To be honest I have no idea. I don't think so if I'm understanding this correctly. In my mind it makes more sense for 10.50.2.x traffic destined for 12.x.x.x/27 to go from the ASA directly to the PIX and not outside. Like I said when I did a route stating that it broke a lot of things and I'm still not understanding why. I'm in the process of sanatizing my configs now to post at r/cisco.

I agree it would be easier to simply get the traffic to go direct. Bear in mind 12.x.x.x addressing is actually valid internet addressing. Have these addresses been assigned to you. I would have though it unlikely as they are class A addresses. If they haven't maybe that explains part of what went wrong.

Jon

Yes, I do realize they are valid Internet addresses. We have a range given to us by our ISP. These have been in place for quite some time as I understand it.

If the full configurations will help here they are.

ASA: http://pastebin.com/raw.php?i=EfgnGQF9

PIX: http://pastebin.com/raw.php?i=QenykNkm

I feel like I understand the big picture in how this should be setup but implementing this is clearly got me stumped. Still working my Cisco rep to get the serial number for the ASA under my CCO loging so I can open a ticket for configuration assistance.

Thanks for the configs.

Can you remember what broke when you added the route to the ASA ?  If we could sort that issue out i think we could go with the original solution and it would work fine.

Jon

Users on the 12.x.x.x segment lost access to the Internet. For all I know I put the route in wrong. I could have swore I put something like this:

route inside 12.x.x.x 255.255.255.224 10.10.10.1

10.10.10.1 being the interface on the PIX connected to the 10.10.10.2 ASA interface.

Couple of things -

the route should be -

route dmz1  12.x.x.x 255.255.255.224 10.10.10.1  ie. the interface should be dmz1 and not inside

the other thing is that you are also using 12.x.x.x addressing on your outside interface of the pix. Is this is a different subnet ie. you are definitely not overlapping are you ?

Jon