Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Firewall Questions (PIX)

0 views
Skip to first unread message

D. P. Bullington

unread,
Mar 28, 2003, 11:09:19 PM3/28/03
to
Hello all. I have the job of setting up a rather simple (I hope) firewall
config using a PIX 515e. Now, I am new at the PIX so please excuse...


Our network is rather simple. We will have a T1 (with a class C block
subnetted into a /26, yeilding 4 subnets of 60 hosts, lets say 1.1.1.0 for
sanitation) coming into a csu/dsu then into a cisco 2500 router. The router
then enters a cisco 1900 hub. This is subnet 0. The PIX outide interface
connects to the hub, and its default route is the router. The PIX has a DMZ
interface which is subnet 1, with some servers. The PIX has an inside
interface which is subnet 2; again, having client machines.


Now, I have configured the PIX (see sanitized config list below). From a
host on the inside interface OR the DMZ interface, I can ping and telnet
into the hub on the outside. I cannot, however, get to any other machine on
the subnet zero, or get past the router. If I ping a web server across the
internet from the pix going out of the outside interface, it does
success...thus proving connectivity.


I am NOT using, nor wish to use, NAT on the PIX. I wish to understand why I
cannot get to anything other that the hub on the outside from the inside or
DMZ.

Any help or additional advice would be much appreicated.

Thanks in advance.

DPB


<PIX config dump>


PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password __sanitized__ encrypted
passwd __sanitized__ encrypted
hostname thepix
domain-name example.com
fixup protocol ftp 21
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 80
names
access-list inside_access_in permit ip any any
access-list acl_allow_icmp permit icmp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 1.1.1.2 255.255.255.192
ip address inside 1.1.1.129 255.255.255.192
ip address dmz 1.1.1.65 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location 1.1.1.190 255.255.255.255 inside
pdm location 1.1.1.1 255.255.255.255 inside
pdm location 1.1.1.1 255.255.255.255 dmz
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_allow_icmp in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 1.1.1.190 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 1.1.1.190 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:__sanitized__
: end
[OK]


</PIX config dump>


PES

unread,
Mar 29, 2003, 12:09:14 AM3/29/03
to
Does your router have static routes to all 3 subnets pointing back to the
pix. When you are pinging from the pix, you are pinging from an ip that
your router has in its table. When you are trying the same from a host, the
router is only going to know about its /26 unless you statically route it
back to the other three. Thus the packets go out, return traffic makes it
to the router where it drops it.

"D. P. Bullington" <dpbull...@hotmail.com> wrote in message
news:P%8ha.6379$0g4.1...@news2.east.cox.net...

D. P. Bullington

unread,
Mar 29, 2003, 12:07:33 AM3/29/03
to
Even if pinging a host on the subnet 0, from say subnet 1, not outbound of
the router?

Thanx, DPB

"PES" <pest...@adelphia.net> wrote in message
news:3e852968$1...@news.iglou.com...

PES

unread,
Mar 29, 2003, 12:17:34 AM3/29/03
to
Don't matter. If you ping a host on subnet 0, that host has a mask of /26
right? If so, then how does it know how to get back to subnet 1? It would
either have to have 3 additional static routes in its own route table, or
hand the return packets to the router. Then what is the router going to do
with it?

"D. P. Bullington" <dpbull...@hotmail.com> wrote in message

news:pS9ha.6724$0g4.1...@news2.east.cox.net...

D. P. Bullington

unread,
Mar 29, 2003, 9:00:35 AM3/29/03
to
Duh...brain fart on my part...I did not think the issue was w/ the pix,
rather something routing or other based...Thanx ...

DPB


"PES" <pest...@adelphia.net> wrote in message

news:3e852...@news.iglou.com...

Chris Patch

unread,
Mar 30, 2003, 1:04:18 AM3/30/03
to
you need static statements for your networks
Even if you are not doing nat.

so if network 1.1.1.0 is on interface inside and you do not want it to be
nat'd gong through to the outside interface, try the following:

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0


"D. P. Bullington" <dpbull...@hotmail.com> wrote in message
news:P%8ha.6379$0g4.1...@news2.east.cox.net...

0 new messages