Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two subnets inside pix 1

Status
Not open for further replies.
Factor42

Factor42

IS-IT--Management
Jan 23, 2003
15
0
0
GB
Hi there, I'm quite new to the world of PIX's and have recently bought and configured a PIX 515 for use on our network.
I've managed to configure it using it's CLI to do standard firewall stuff for our network and to route through port 25 for email delivery to our Exchange server.
Problem is we have another site that connects into us and relys on us for the web.
Historically we had ISDN Dial on Demand which our other site accessed via a proxy server at our site.
Now, the routing I have set up correctly as far as I can see. Our servers have a DG of our Kilostream router of which is configured to send all 0.0.0.0 to the PIX. This works fine. Similarly, our remote site's kilostream router sends all 0.0.0.0 to our Kilostream router which should then in turn point it into the direction of the pix.
Remote site can ping all machines/servers here but never the PIX itself.
This leads me to think the PIX not having some kind of DG for our other subnet I presume? How do I specify this?
Our subnet is 192.168.1.0, remote site 192.168.2.0, Kilostream routers have a mini subnet between eachother of 192.168.100.0 but I don't think thats applicable - but just in case you need to know ;)

I would really love your help on this one guys as it's driving me mad and I'd loath to put in place another proxy server.

Thanks!

P.S: I configured the PIX515 using both docs and this website as reference. Fantasic forum this!!
 
Sort by date Sort by votes
On the pix, either run RIP or do static routes.

route inside 192.168.1.0 255.255.255.0 192.168.100.xxx
route inside 192.168.2.0 255.255.255.0 192.168.100.xxx

Replace the .xxx w/ the ip of the router connecting those subnets.
 
Upvote 0 Downvote
HI.

If the pix is directly connected to 192.168.1.0, then you only need this one:
route inside 192.168.2.0 255.255.255.0 192.168.100.xxx

Now, here it is a bit more interesting:

First make sure that it is working after adding the route inside command.
Is it?

Second, you might wish to change the default gateway of internal hosts (assuming that the pix is also connected to 192.168.1.0 - if not, ignore the rest of my post).
Changing the DG of hosts can reduce load on the internal kilostream router and improve network fault-tolerance (if the kilostream fails, internal hosts can still access the Internet). However such a changes will make things a bit more complex because the pix (unlike routers) does not send ICMP redirect, and does not forward packets to the same interface they came from:
thread35-149781

Therefor if you change the DG of internal hosts, you need to configure them with a route to 192.168.2.0 .
In many networks, only few servers and the administrator's own workstation need access to the remote subnet so you can configure permanent static route on those hosts.
Or you can put a "route add ..." command in your login script to let all internal workstations access remote network.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Excellent! They can all now ping the PIX! Stupidly, I had already put in a route for my other subnet but put the last bit as my PIX internal IP instead of the WAN router. Short sited!
I've still got a problem though, it doesn't look as though they can browse the web. Is there some kind of rule I need to put in place to allow web traffic on the second subnet aswell?
I realise this sounds a bit basic but I've really only started recently with this thing!

Thanks in advance!
 
Upvote 0 Downvote
Make sure that the hosts on the two subnets can ping your pix's inside IP address. If they can, then look into any filters you have on the pix. Otherwise there is still a routing problem.
 
Upvote 0 Downvote
Hi Baddos,

Well, they can all ping the router ok, both subnets can. Web browsing is fine on the subnet which is directly on the PIX but my remote subnet, despite pinging ok, cannot get we browsing.

You mentioned Filters, what would a filter be and would you be able to give me an example of one?

Thanks

 
Upvote 0 Downvote
HI.

> Well, they can all ping the router ok ...
You mean ping the PIX, not the router, right?

> Web browsing is fine on the subnet which is directly on the PIX but my remote subnet, despite pinging ok, cannot get we browsing.

Check NAT configuration.
If you only have:
nat (inside) 1 192.168.1.0 255.255.255.0
Then you will need to add:
nat (inside) 1 192.168.2.0 255.255.255.0

You should also try to telnet to the perimeter (outside) router. What do you get?

You should also start using syslog messages on the pix to monitor and troubleshoot it.
Start with level 4 (warnings).

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
29
quazimotto
quazimotto
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
94
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top