tabmpierce
asked on
Cisco Pix Firewall not routing our privite frame traffic...need help bad.
We currently have a PIX Firewall running a very old IOS. Version 4.4 I think. It is used for a small company firewall. It connects to an AT&T router that gives us internet access. We also have a separate Frame line that connects a separate office to us via a 56K frame. Our problem is we need to be able to route though the Frame connection when we try to get to a 192.168.1.0. We are using the PIX as our gateway but so far I can not PING from my workstation 192.168.1.21. I can Telnet into the PIX 128.1.5.3 and do a Ping from the Pix to a workstation on the other end of the frame 192.168.1.3 and it works great. It is like the PIX is not allowing the data from the FRAME to be routed.
There is a fairly good chance this post will make little sense to some so please ask questions I will answer them as I can.
Thanks for the help guys
There is a fairly good chance this post will make little sense to some so please ask questions I will answer them as I can.
Thanks for the help guys
The PIX firewall might also be blocking ping requests. Have you also updated you PIX firewall firmware yet....just for security purposes :)
Can you please post your PIX config without security details. We can most likely give you an answer in short order if you post the config.
As I understand it, the PIX will not perform routing. You must forward all your traffic inbound from the outside interface to a router that is capable of routing the traffic. It will, of course, happily ping anywhere you like so long as it's default gatway or RIP table knows how to find that network.
hi
is this the way your network is connected ?
Internet <---> AT&T Router <----> PIX <----> Internal Network
|
|
v
FRAME
is this the way your network is connected ?
Internet <---> AT&T Router <----> PIX <----> Internal Network
|
|
v
FRAME
ASKER
Aaah Thank you all for Writing ...OK let me answer the questions.
ICMP is ON so pinging works till the issue is resolved.
I can not update the Firmware because newer versions of the PIX firmware limit the number of connections (LOL that should give you a clue to how old the IOS is)
Everyone in the office uses the PIX as it's gateway.
Robing66066 brought up a interesting comment. I am trying to route the traffic from the internal network to the frame network useing routing statments on the PIX. Can anyone confirm that the PIX will not do routing?
I like the picture so I will use it to illistrate what I am trying to show you guys.
128.1.5.3 no IP 128.1.5.0
Internet <---> AT&T Router <----> PIX <----> Cisco Switch <--->Internal Network
(GATEWAY) |
|
v
128.1.5.15 (internal home office IP address)
FRAME
10.1.2.1 (Frame cloud IP address home office)
|
|
v
10.1.2.2 (Frame cloud IP address remote office)
|
|
v
192.168.1.21 (internal Remote office)
ICMP is ON so pinging works till the issue is resolved.
I can not update the Firmware because newer versions of the PIX firmware limit the number of connections (LOL that should give you a clue to how old the IOS is)
Everyone in the office uses the PIX as it's gateway.
Robing66066 brought up a interesting comment. I am trying to route the traffic from the internal network to the frame network useing routing statments on the PIX. Can anyone confirm that the PIX will not do routing?
I like the picture so I will use it to illistrate what I am trying to show you guys.
128.1.5.3 no IP 128.1.5.0
Internet <---> AT&T Router <----> PIX <----> Cisco Switch <--->Internal Network
(GATEWAY) |
|
v
128.1.5.15 (internal home office IP address)
FRAME
10.1.2.1 (Frame cloud IP address home office)
|
|
v
10.1.2.2 (Frame cloud IP address remote office)
|
|
v
192.168.1.21 (internal Remote office)
ASKER
When I make it back into the office I will post the config minus the security information and maybe that will help.
Thanks guys =)
Thanks guys =)
You should make every effort to acquire the newest software for the PIX. If you are the original purchaser of the device, you should be able to get it covered under a SmartNET contract, which would entitle you to software upgrades.
Once that's done, re-write your configuration to get rid of conduits and move to access-lists to control traffic (we can help you convert the rules).
This will shore up the security quite a bit.
Now, to answer your questions - you need to define rules in the PIX that prevent traffic originating at your network and heading to the other private network from being address translated. Then, you need to open the appropriate holes for the traffic to move back and forth. All of this is much easier to do when you run the newer software, and don't have to use conduit statements...
Once that's done, re-write your configuration to get rid of conduits and move to access-lists to control traffic (we can help you convert the rules).
This will shore up the security quite a bit.
Now, to answer your questions - you need to define rules in the PIX that prevent traffic originating at your network and heading to the other private network from being address translated. Then, you need to open the appropriate holes for the traffic to move back and forth. All of this is much easier to do when you run the newer software, and don't have to use conduit statements...
You have two gateways on your network -- the PIX, and the FR connection. What you are trying to do is have the PIX forward any traffic it receives from the internal network that is intended for FR back across the internal network to the FR gateway.
IF the PIX was a router (Cisco says it's not, but what do *they* know...), it would do that forwarding, and send the clients an "ICMP redirect" message saying "You don't have to come through me to get there." (Which most clients would ignore, but that's another story.)
Your simplest option would be if both the PIX and the FR gateway could hang off the same internal network address, perhaps by introducing a small router between them and the rest of the internal network. You'd have to introduce a separate (private) subnet joining the three devices.
The "obvious" alternative is to add a route on each client that needs to talk via FR (which might be all of them in your case), telling them that traffic to 192.168.1.x needs to be sent to 128.1.5.15 instead of the default gateway.
IF the PIX was a router (Cisco says it's not, but what do *they* know...), it would do that forwarding, and send the clients an "ICMP redirect" message saying "You don't have to come through me to get there." (Which most clients would ignore, but that's another story.)
Your simplest option would be if both the PIX and the FR gateway could hang off the same internal network address, perhaps by introducing a small router between them and the rest of the internal network. You'd have to introduce a separate (private) subnet joining the three devices.
The "obvious" alternative is to add a route on each client that needs to talk via FR (which might be all of them in your case), telling them that traffic to 192.168.1.x needs to be sent to 128.1.5.15 instead of the default gateway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Pascal666 your comment answered my problem. I made the Frame relay route the traffic. Works great. Thanks a ton guys!!!
when your at site A (at 192.168.1.21) and you try to ping 192.168.1.3 at site B it doesn't go through any gateway b/c it's the same subnet.
I assume it works from the Pix b/c it's default route is NOT going back to 'site A'
When setting up 2 sites like this, I've only used different subnets so that there's no mistake when routing...