1. Home
  2. Cisco Systems
  3. PIX firewall (501 and 506) outside subnet not available to inside hosts

PIX firewall (501 and 506) outside subnet not available to inside hosts

I have a couple of client networks set up on our internet connection. They are behind PIX firewalls (both ver 6.x). One is a 501 and the other is a 506. Both firewalls are configured basically the same, and both exhibit the following problem.

The firewalls are configured for interface PAT. There is a server on each network that needs to be publicly accessible. So there is a "static" entry for the server.

The problem: Neither server is able to connect to any host on the same subnet as the outside interface of the PIX, and no host on that network can connect through the firewall to the server. I need to be able to get to hosts on that outside network from the servers inside the firewall, as that is where their outgoing mail server, their DNS server, and other services are located. Any inside client that gets the interface PAT address can contact these hosts without fail, it is only the server that uses a different address than the outside interface that can't connect to those hosts.

Here is what I hope is a legible diagram, indicating what hosts can be accessed from the server behind the firewall. The diagram is followed by the relevant lines from one of the configs.

SERVER_Private (192.168.5.10 mapped to XX.XXX.118.114) | | PIX 501 (outside int: XX.XXX.118.153 via DHCP) | |_________ Client_Server (XX.XXX.118.6) | | GATEWAY ROUTER (inside: XX.XXX.118.1)

So SERVER_Private can ping the inside interface of the PIX 501, and can telnet to the OUTSIDE interface of the GATEWAY ROUTER. SERVER_Private can NOT ping or telnet to Client_Server OR the inside interface of GATEWAY ROUTER. Client_Server cannot contact SERVER_Private even though all IP traffic has been allowed via access-list.

Config lines: ip address outside dhcp ip address inside 192.168.5.1 255.255.255.0 access-list 101 permit ip host XX.XXX.118.6 host XX .XXX.118.114 access-group 101 in interface outside global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) XX.XXX.118.114 192.168.5.10 netmask

255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

I'm sure I'm missing something very basic, but please help me if you can.

Thanks

-Dan Horne

Reply to
texastoast
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.