I'm experience the connection problem between the Pix and T1 router
router lan interface is 192.168.0.1
pix outside 192.168.0.2 inside 192.168.2.1
in the pix everything is fine i,can access the route and my subnet ,but in the route i not able to access my subnet why ??
any routing i need to add
Much appreciate
Please re-read this "sentence".
I find it unintelligible, and would be surprised if anyone can help you.
You need to properly explain your network topology and the issue you need assistance to resolve.
Triffid
k .... let me clarify my suitation i've T1 to link up 2 location A and B ,B need internet access thru A, now we want to put the PIX 506e behind the router..B area route info
interface FastEthernet0/0 ip address 192.168.8.253 255.255.255.0 speed auto ! interface Serial0/0 bandwidth 1536 ip address 10.0.0.2 255.255.255.252 service-policy output voice ! router ospf 87 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 network 192.168.0.0 0.0.255.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.1
i had make change the route ip to 192.168.9.254
the PIX info
ip address outside 192.168.9.253 255.255.255.0 ip address inside 192.168.8.253 255.255.255.0
route inside 0.0.0.0 0.0.0.0 192.168.9.254 i've cleared icmp in area B pix ---- ping router LAN interface , my workstation and area A workstation ...fine in area B router ---- ping PIX outside interface ---okay ping PIX inside interface ----- cannot area A and B router and PIX outside interface are able to communicate each other inside cannot ,and idea
thanks
Do you mean from the router you cannot access your inside subne (192.168.2.x)? This is because the firewall is blocking inbound access You will need to create access rules (ACL's) to permit incoming traffic Let me know if this helps
-- joeblac
Thanks, JoeBlac
----------------------------------------------------------------------- joeblack's Profile:
What does your config look like?
The PIX is designed to prevent you from pinging any interface other than the "closest" one (the outside interface in this case.) In PIX 6.3 you can get around that by creating a VPN tunnel that terminates at PIX A (and which cannot be used to send traffic -past- PIX A to the LAN at A), with that VPN marked as being a "management interface".
PIX is designed to drop packets that arrive via one interface and are destined to go out the same interface. You will not be able to send internet-bound packets from B to A and have A send them out to the internet on the same interface.
If you have PIX 6.3(3) or later on your PIX 506E, you can create a "logical interface" (802.1Q VLAN) in a different subnet from the "outside" interface, but which was still addressible from B (i.e., a second public subnet in the usual case, but you seem to be using private IP ranges.) You would have the traffic from B to A go in the "logical" interface, and any traffic that was destined to the internet could then go out the regular "outside" interface (which would be the same physical interface but with no VLAN tag.) In order to get this to work, your T1 router at A will need to support 802.1Q VLANs.
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password jSl27glGzSw1DAQV encrypted passwd jSl27glGzSw1DAQV encrypted hostname cp03cn fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.9.253 255.255.255.252 ip address inside 192.168.8.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 route outside 0.0.0.0 0.0.0.0 192.168.9.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:0cccb8aa20d0ed691cc719ec32d457e8 : endareaB(config)# ping 192.168.4.9 192.168.4.9 response received -- 20ms 192.168.4.9 response received -- 10ms 192.168.4.9 response received -- 10ms
i can go every where in my area B PIX any acl or routing i need to add ??cause the areaB's workstation cannot ping areaA
Thanks
Antony
thanks
Antony
You don't have any 'static' or 'nat' or 'global' statements. All your outgoing packets are going to be dropped.
I would recommend that you post these questions to comp.dcom.sys.cisco as there are more PIX people there. Also, your questions start getting into matters of configuring your Cisco IOS router, which is not a firewall question.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.