1. Home
  2. Cisco Systems
  3. Routing problem

Routing problem

Hello everybody,

Here is my office network.

formatting link
DMZ reaches Internet via PIX firewall and VLAN via Sonicwall firewall. The first switch Cisco 3560G is in charge of InterVlan routing.

NAT is activated on the PIX.

Here is the routing table of the switch. 192.168.2.0/29 is subnetted, 1 subnets C 192.168.2.0 is directly connected, GigabitEthernet0/1 192.168.1.0/24 is variably subnetted, 3 subnets C 192.168.1.64/27 is directly connected, Vlan3 C 192.168.1.32/27 is directly connected, Vlan2 C 192.168.1.160/27 is directly connected, Vlan1 192.168.3.0/29 is subnetted, 1 subnets C 192.168.3.0 is directly connected, GigabitEthernet0/2 S 192.168.4.0/24 [1/0] via 192.168.3.1 S* 0.0.0.0/0 [1/0] via 192.168.2.1

The second switch's routing table is empty. There's only a default gateway to the first switch.

Here is the routing table of the PIX. outside 0.0.0.0 0.0.0.0 XX.XX.XX.17 1 OTHER static outside XX.XX.XX.16 255.255.255.240 XX.XX.XX.18 1 CONNECT static inside 192.168.1.32 255.255.255.224 192.168.3.2 1 OTHER static inside 192.168.1.64 255.255.255.224 192.168.3.2 1 OTHER static inside 192.168.1.160 255.255.255.224 192.168.3.2 1 OTHER static inside 192.168.3.0 255.255.255.248 192.168.3.1 1 CONNECT static inside 192.168.2.0 255.255.255.248 192.168.3.2 1 OTHER static dmz 192.168.4.0 255.255.255.0 192.168.4.1 1 CONNECT static

I can ping everything from the pix.

From the first switch, I can ping everything too except the DMZ

interface on the Pix but I can ping the DMZ's hosts.

From a host in VLAN 1 (for example), I can ping the inside interface on

the Pix but not the dmz one nor the DMZ's hosts.

My problem is that I want the VLAN hosts reach the servers on DMZ.

Thanks for your help. If you need mor informations, don't hesitate.

Reply to
jp
Loading thread data ...

You may wish to investigate Cisco PIX Tac case:

http://129.41.16.73/security/showcase?case=K10055697 Sincerely,

Brad Reese BradReese.Com Cisco Repair Service Experts

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272

Reply to
www.BradReese.Com

In article , jp wrote: :From the first switch, I can ping everything too except the DMZ :interface on the Pix but I can ping the DMZ's hosts. :From a host in VLAN 1 (for example), I can ping the inside interface on :the Pix but not the dmz one

In PIX 6.x, you can only ping your "closest" PIX interface.

Reply to
Walter Roberson

So do i need to upgrade my PIX firewall ?

Reply to
jp

In article , jp wrote: :So do i need to upgrade my PIX firewall ?

You dropped off the context in reply to a posting several days old :(

Context: I wrote

:> In PIX 6.x, you can only ping your "closest" PIX interface.

:So do i need to upgrade my PIX firewall ?

Your original posting indicated two problems: that you could not ping the pix dmz interface from some inside hosts, and that you could not ping hosts that are on the dmz interface from some inside hosts.

My reply addressed part of that: that you shouldn't expect to be able to ping the dmz interface address from those hosts, at least not in PIX 6.x.

I do not have a spare device to test out 7.0 on, so I do not know if you are able to ping other interfaces in 7.0... I suspect not. And if you were able to do so, is it worth upgrading just for that?

On the matter of the inside hosts not being able to ping the dmz hosts: to diagnose that, we would need to be shown the ACL applied to the inside interface, the ACL applied to the dmz interface, and all relevant 'static', 'nat', and 'global' commands, and any ACLs that those commands might happen to reference.

My configuration is somewhat similar, and I am able to ping the dmz hosts from the vlan'd inside hosts, so it is not a general PIX limitation.

Reply to
Walter Roberson

Thanks for your help.

I can ping DMZ hosts from inside hosts now. I forget to create NAT rules for each VLAN.

But I want to know if a DMZ host can ping an inside host. I think not but I'm not sure.

Reply to
jp

In article , jp wrote: :I can ping DMZ hosts from inside hosts now.

This thread is several days old; please include context, especially for older threads. You know what you're talking about, but I read hundreds of postings per day.

:I forget to create NAT rules for each VLAN.

:But I want to know if a DMZ host can ping an inside host. :I think not but I'm not sure.

Yes, DMZ hosts can ping inside hosts, if the proper ACL and static (or nat 0 access-list) entries are made.

Reply to
Walter Roberson

Thanks for your help. I have succeeded in what I'm tring to do.

Walter Roberson a =E9crit :

Reply to
jp

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.