PIX routing

**ps3cheats** · 25-Mar-2007, 10:45 PM

Hi,

we have 2pix firewalls set as follows;

server --->pix1>---internet---->pix2>------router>---lan

from 'lan', we get to internet and to 'server' no problem.

from server we cannot get to lan.

pix1 allows all outbound and inboubd to server from lan(as per above confirmed).

pix2 allows server inbound to lan + has route statement pointing to router for internal lan. We know route statements work as lan can browse internet.

heres the issue. server cannot reach lan devices, it can reach router which is connected to pix2. If a device on 'lan' pings server behind pix1, server is then able to connect to the device in the lan.

only the devices in lan which ping the server are able to have a session initiated from server to lan device.

This seems very strange. If there is no ping from the lan, traceroutes from the server only go as far as pix1.

fyi - theres no nat, not vpns , this is purely ip with real addresses (no rfc 1918)

does anyone have ideas, this seems perplexing.

**ps3cheats** · 25-Mar-2007, 10:46 PM

Now if you can't provide the config, it will be a little difficult to analyze things. Anyways, make sure all the internal ip's on pix2's side is static natted and available to internet. Only then an outgoing connection will go through. Also make sure to make the acls

25-Mar-2007, 10:45 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	PIX routing Hi, we have 2pix firewalls set as follows; server --->pix1>---internet---->pix2>------router>---lan from 'lan', we get to internet and to 'server' no problem. from server we cannot get to lan. pix1 allows all outbound and inboubd to server from lan(as per above confirmed). pix2 allows server inbound to lan + has route statement pointing to router for internal lan. We know route statements work as lan can browse internet. heres the issue. server cannot reach lan devices, it can reach router which is connected to pix2. If a device on 'lan' pings server behind pix1, server is then able to connect to the device in the lan. only the devices in lan which ping the server are able to have a session initiated from server to lan device. This seems very strange. If there is no ping from the lan, traceroutes from the server only go as far as pix1. fyi - theres no nat, not vpns , this is purely ip with real addresses (no rfc 1918) does anyone have ideas, this seems perplexing.

25-Mar-2007, 10:46 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: PIX routing Now if you can't provide the config, it will be a little difficult to analyze things. Anyways, make sure all the internal ip's on pix2's side is static natted and available to internet. Only then an outgoing connection will go through. Also make sure to make the acls

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)