Routing between subnets and Pix 501

[1mack1]

I am trying to get a pix 501 to route between two subnets.
show route =
outside 0.0.0.0 0.0.0.0 10.2.7.254 2 OTHER static
outside 10.2.7.0 255.255.255.0 10.2.7.249 1 CONNECT static
inside 172.28.6.0 255.255.255.0 172.28.6.1 1 CONNECT static

Outside in = 10.2.7.249/24 inside 172.28.6.1/24

From the console i can ping hosts on both subnets

but do not have conmms between hosts on either subnet.

10.2.7.254 is gateway to other subnets from 10.2.7.0/24 network.

Any help gratefully accepted

Mack

 

[KiscoKid]

Maybe I'm not understanding your question but are you interested in routing between 10.2.7.0/24 and 172.28.6.0/24?

I may have got he wrong end of the stick here but the PIX does not make routing decisions like a router does for example unless your question is based on how do you route from the inside network to the outside network.

Could you clarify?

Ta

 

[1mack1]

Yes sorry I want to ruote from inside outside. At the moment I have only on inside network that can ping the inside interface but cannot see anything on the outside network.

How can I make this happen ? is it a nat issue ?

Mack

 

[ChrisAC]

Config?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[1mack1]

:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Oop5R6t0kum3Ebn0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MoultonPaddocks
domain-name secure.godolphin.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any echo-reply inside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.2.7.249 255.255.255.0
ip address inside 172.28.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
static (inside,outside) 172.28.6.0 10.2.7.0 netmask 255.255.255.255 0 0
rip outside default version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 10.2.7.254 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.2.7.0 255.255.255.0 outside
http 172.28.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:8cffdf8ee49745c09e7314de903379be
: end

 

[ChrisAC]

Either change

static (inside,outside) 172.28.6.0 10.2.7.0 netmask 255.255.255.255

to

static (inside,outside) 10.2.7.0 172.28.6.0 netmask 255.255.255.0

or remove it completely and use;

static (inside) 1 172.28.6.0 255.255.255.0
global (outside) 1 10.2.7.1-10.2.7.253 netmask 255.255.255.0

or global (outside) 1 interface

This will allow traffic from the inside to the outside only. If you want connections both ways and this is on a LAN then you would be far better off with a router.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************