pix between two networks?

[porress]

Hi!
I want to implement a pix between two networks like this:

INTERNET---ROUTER 02(ISP firewall)----LGFL NETWORK(all schools in london)-----ROUTER 01----(my FIREWALL)----(my internal network)

my network uses a 10.104.28.0/22 subnet mask, the problem is that pix needs a configuration for the outside interface to the router01 which i dont have as my isp only supplied me with 1 subnet. I could call them so they give a subnet like 10.104.32.0/29 just for the outside interface to router01 buti was thinking is there any way to configure firewall so i could use just 10.104.28.0/22 to setup my firewall? i guest the answer is no. maybe? Any ideas...

 

[porress]

More into details guys...
I have tried this configuration but it doesnt allow me to ping from any pc in the inside, but i can reach everywhere from the firewall console.

Protector# show running-config
: Saved
:
ASA Version 7.0(5)
!
hostname Protector
enable password ******* encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.104.26.2 255.255.254.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.104.28.2 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ********* encrypted
ftp mode passive
access-list NoNat extended permit ip any any
access-list in-out extended permit ip any any
access-list in-out extended permit icmp any any
access-list in-out extended permit udp any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNat
access-group in-out in interface inside
route outside 0.0.0.0 0.0.0.0 10.104.26.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:78787878787878787878788787
: end

 

[Supergrrover]

Try adding this

policy-map global_policy
class inspection_default
inspect icmp error

or you can type
fixup icmp error

and that should allow translations of the icmp and errors to return to the inside hosts.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[porress]

Thanks! But still doesnt work. no traffic from inside to outside, i dont understand. the test client configuration inside is:

ip 10.104.28.34
submak: 255.255.252.0
gateway: 10.104.28.2 (firewall) and i have tried the router (10.104.26.1) and doesnt work either.

dns server: 10.104.28.10

 

[Supergrrover]

Curious - Why do you have this statement in your config
access-list NoNat extended permit ip any any
Are you getting any traffic out?



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[porress]

I am not getting any traffic in or out. My isp provides NAT translation to the internet, so i dont need it on my firewall, basically i just need filtering between two private networks, but i cant get any traffic between both of them or the internet...