[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

PIX 515 w/DMZ and NAT Config HELP!

Posted on 2004-10-21
31
Medium Priority
?
1,340 Views
Last Modified: 2010-08-05
I'm new to the firewall world and I'm trying to configure our new PIX.  The layout looks as follows:

internet------router (e0) 66.203.12.138/29-----PIX (outside) 66.203.12.139/29  
                                                                                 (inside) 10.100.0.100           (dmz) 66.203.12.209/29
                                                                                                     |                                       |
                                                                                         [private network]                     [web server]
                                                                                            10.100.0.0                          66.203.12.210/29
 
The web server will need to communicate to the private network as well as from the internet.
I have a pool of addresses for NAT'ing the private addresses:  66.203.12.211 - 214 and 66.203.12.140 - 142
I'd prefer to perform static NAT because i'm running h323 (video conferencing)

With my initial attempt at this, I'm ABLE to ping from the PIX thru all interfaces.  I'm unable to ping the web server from the internet as well as unable to ping from the web server out to a public address on the internet.  I fear I'm blocking ICMP from both directions.   I'm also unable to ping the web server from my private network.  Since this is a web server HTTP fails as well.

Can someone please help in guide me in the right direction by providing a config?  
0
Comment
Question by:echunn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 14
31 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12377711
compare this config to yours. I use a private IP space in the DMZ...

ip address outside 66.203.12.139 255.255.255.240
ip address inside 10.100.0.100 255.255.255.0
ip address dmz 192.168.100.1 255.255.255.0

access-list outside_in permit tcp any host 66.203.12.210 eq 80
access-list outside_in permit tcp any host 66.203.12.210 eq 443  <== if you need it
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
<== you will not be able to ping the web server without this, but it is optional:
access-list outside_in permit icmp any host 66.203.12.210 echo

global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.255.0  <== change to appropriate mask
nat (dmz) 5 192.168.100.0 255.255.255.0

<== next line will create a static rule that bypasses NAT between the inside and DMZ:
static (inside,dmz) 10.100.0.0 10.100.0.0 netmask 255.255.255.0  <== again, appropriate mask

<== static for DMZ Web server
static (dmz,outside) 66.203.12.210 192.168.100.210 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 66.203.12.138

<== you won't be able to ping the web server in the dmz until you create an acl specifically permitting it.
        I suggest you start out without this. Even though you can't ping it, you should be able to access the web page
access-list dmz_out permit icmp host 192.168.100.210 10.100.0.0 255.255.255.0
access-group dmz_out in interface dmz

0
 

Author Comment

by:echunn
ID: 12385422
After your suggestions I'm still unable to get to my webserver.  I'm also unable to get out to the internet.  From the internet I'm also unable to get to the server.  I'd like to share with you a detailed layout of the network, please email me at echunn@sbcglobal.net.

Here;s my current config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 66.234.131.210 eq www
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 66.234.131.210 echo
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.203.12.139 255.255.255.248
ip address inside 10.100.0.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_out in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12385509
Remove this line:
   >access-group dmz_out in interface DMZ

Change this to match the mask on your inside interface:
   >static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
to
    static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0
                                                                                          ^^
Remove this line:
   >static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
Replace with this:
     static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255


0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:echunn
ID: 12385751
Thanks for the quick reply!

Below is the config with your suggested modifications.  However I'm still not getting out from:

Ping from server 66.234.131.210 failed
Ping from PIX to server 66.234.131.210 success
Ping from PIX to next hop toward internet success
Ping from PIX to internet address failed
HTTP from the internet to 66.234.131.210 failed
Ping or HTTP from internal net 10.100.10.x fails
Ping from internet net to DMZ fails

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 66.234.131.210 eq www
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 66.234.131.210 echo
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_in permit icmp any any echo-reply
access-list dmz_in permit icmp any any unreachable
access-list dmz_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.203.12.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0
access-group outside_in in interface outside
access-group dmz_out in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Thoughts?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12385902
What is the subnet mask on your internet router Ethernet port?
What is the default gateway/mask settings on your server?
0
 

Author Comment

by:echunn
ID: 12385945
internet router
mask = 255.255.255.248

server
gw=66.234.131.209
mask= 255.255.255.248

0
 

Author Comment

by:echunn
ID: 12385978
Here's an update:  
From 10.100.10.2 i can get to the server 66.234.131.210
From this same system I'm unable to browse the internet
From the internet I cant get to the server.

From other systems on 10.100.10.x I can't get out to the internet nor the server.  DO i need static NAT for every system that needs access to the internet.  If so what is an example of that statement?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12386188
Some progress, right?
Does the Internet router have a route statement pointing to the PIX for that subnet;

   ip route 66.234.131.208 255.255.255.248 66.234.131.139

These two entries are all you need to browse the internet from inside:
   global (outside) 5 interface
   nat (inside) 5 10.100.0.0 255.255.0.0 0 0

Verify that the inside users' default gateway points to the pix 10.100.10.100

Doh! I think I see a problem:

given this:
   ip address inside 10.100.10.100 255.255.255.0

You can remove this:
    no static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0



0
 

Author Comment

by:echunn
ID: 12386370
Well the route wasnt in place....now that it is I can at least ping it (server) from my router.  Anything beyond my router on the public side doesnt work.

Getting out to the internet from 10.100.10.0 (specifically 10.100.10.2 and 60) still doesnt work.

Here's the latest:

.........
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12386608
can you ping your router from the inside?
yes? Sounds like the ISP isn't routing properly to your 66.234.131.x subnet.

0
 

Author Comment

by:echunn
ID: 12387054
in your opionion do you think this config is valid?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12388085
Not now.

You can remove this completely:
   access-group inside_access_in in interface inside

The default is to permit all outbound traffic anyway..

You've changed some other things around, too:
>static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0  <=== ?? DMZ IP to inside host?
>static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0 <== OK
>static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0  <== ?? backward syntax

Now you're trying to nat a DMZ IP address to an inside host?
0
 

Author Comment

by:echunn
ID: 12390342
To summarize what needs to communicate to what.......The server needs to connect to internal IPs on 10.100.0.0 as well as systems on the internet.   As it stands right now I'm back to where I started.  The server is unable to communicate to the internal net as well as the internet.  I'll refrain from changing anything more until I get more suggestions from you.

access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact

0
 

Author Comment

by:echunn
ID: 12403527
The Good News:
SPoke to my ISP and sure enough they weren't routing the servers IP.   I can now connnect from the internet to the server.

The BAD News:
I'm unable to communicate from the server to my internal net as well as from my internal net to my server.  

Any suggestions?   .......I'm in the home-stretch!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403789
That is good news. I guess I was right.

Now. For internal net to server communications:

                           nat (inside) 5 10.100.0.0 255.255.0.0 0 0
Remove this ==> nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
Remove this ==> static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
                          static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
Remove this ==> static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

Remove this ==> access-group inside_access_in in interface inside

This is what you should end up with:

  global (outside) 5 interface
  nat (inside) 5 10.100.0.0 255.255.0.0 0 0
  static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
  static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

Next, for the server in the DMZ to talk to the internal network (if this server initiates the connection)
  access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
  access-list DMZ permit ip host 66.234.131.210 any
  access-list DMZ in interface DMZ

Once you get everything working, we can refine the DMZ access-list

0
 

Author Comment

by:echunn
ID: 12404267
From my internal net I can connect to my server and everywhere else.  However, my server still is unable to establish a connection to an internal system.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12404530
So, 2 out of 3 down?
can you post your current latest running config?

These three lines are the keys to making that work:
 static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0
  access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
   access-list DMZ in interface DMZ
0
 

Author Comment

by:echunn
ID: 12404573
Sure, here it is:
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password bSZmERppDxozfltT encrypted
passwd jBkDTusFb45REzoX encrypted
hostname MAGMA
domain-name MAGMA
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 66.234.131.210 eq www
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.11.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.12.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.13.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.15.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.16.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.17.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12404651
You have to remove this. You cannot apply a static map to a public IP from an inside host to the DMZ subnet..  
   > static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0

If you have all those 10.100.x.0 subnets on the inside that you are trying to connect to, suggest :
  no static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
  static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                         ^^
You will also need a route to them on the PIX pointing to the inside router:
   route inside 10.100.0.0 255.255.0.0 10.100.10.??

And, don't forget to apply the DMZ Acl ( I don't see it in your posted config):
    access-list DMZ in interface DMZ

0
 

Author Comment

by:echunn
ID: 12404791
you mean:
access-group DMZ in interface DMZ

not:
access-list DMZ in interface DMZ

you mean:
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

not:
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0

route inside 10.100.0.0 255.255.0.0 10.100.10.1

We're good to go now!  Excellent help, thank you very much!



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12404854
H'OH! Yep, I did get carried away... it is access-group, not access-list when applying it...

But this one.... I did mean to change the subnet mask to include all the other subnets that you have...
>you mean:
>static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

>not:
>static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                          ^^^^ I really did mean to change this to 255.255.0.0

Progress is always good!
0
 

Author Comment

by:echunn
ID: 12405384
One last thing.   To avoid having to set stactic routes on my router for the public IP of the server on my internal net, could I instead NAT to an IP routable on my internal net?  If so whats the correct syntax?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12405462
I don't follow you on that...
As long as the PIX is the default gateway for everything, it shouldn't matter...
Since you are not natting between the inside and the DMZ, nor from DMZ to outside, that's sort of an odd thing to need to do.
0
 

Author Comment

by:echunn
ID: 12405683
when i set my systems to use the PIX as the default gateway, I can't communicate to anything else on my 10.100.10.0 as well as my other networks, 10.100.13.x , 10.100.14.x etc.    even though I've got these route statments:

route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
route inside 10.100.0.0 255.255.0.0 10.100.10.1 1
route inside 10.100.15.0 255.255.255.0 10.100.10.1 1  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12405762
How about on your router, just point the default to the PIX, then use the router as your default.

  ip route 0.0.0.0 0.0.0.0 10.100.10.100

0
 

Author Comment

by:echunn
ID: 12405878
tried that to.  I seems like the routes on the PIX aren't even working....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12405896
They are, it's just that a PIX won't redirect like a router will...

The routes on the PIX are there to respond to clients, not to act as a router for inside client to get to another subnet. Is there another default route in the router?

0
 

Author Comment

by:echunn
ID: 12405935
the default route on my main core router feeds out to our MPLS network which fingers out to the other 10.100.x.x subnets.  

Here's the router route statements as it looks now:


ip route 0.0.0.0 0.0.0.0 10.100.10.100
ip route 66.234.131.210 255.255.255.255 10.100.10.100

Before:

ip route 0.0.0.0 0.0.0.0 192.168.100.57
ip route 66.234.131.210 255.255.255.255 10.100.10.100
0
 

Author Comment

by:echunn
ID: 12405956
so to answer your question, no their are no other default routes
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12406841
sounds like you still have a simple routing issue..
what routing protocol are you using? You can enable OSPF between this router and the PIX..If you decide that you want to do that, post another question and we can work on that separately.

Aren't you using bgp to the MPls network?
0
 

Author Comment

by:echunn
ID: 12408167
I'm running BGP.  Spoke to my ISP and the routes are now updated and everything is working.  Case closed !  Thanks for your patience and help.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question