PIX 515 w/DMZ and NAT Config HELP!

I'm new to the firewall world and I'm trying to configure our new PIX.  The layout looks as follows:

internet------router (e0) 66.203.12.138/29-----PIX (outside) 66.203.12.139/29  
                                                                                 (inside) 10.100.0.100           (dmz) 66.203.12.209/29
                                                                                                     |                                       |
                                                                                         [private network]                     [web server]
                                                                                            10.100.0.0                          66.203.12.210/29
 
The web server will need to communicate to the private network as well as from the internet.
I have a pool of addresses for NAT'ing the private addresses:  66.203.12.211 - 214 and 66.203.12.140 - 142
I'd prefer to perform static NAT because i'm running h323 (video conferencing)

With my initial attempt at this, I'm ABLE to ping from the PIX thru all interfaces.  I'm unable to ping the web server from the internet as well as unable to ping from the web server out to a public address on the internet.  I fear I'm blocking ICMP from both directions.   I'm also unable to ping the web server from my private network.  Since this is a web server HTTP fails as well.

Can someone please help in guide me in the right direction by providing a config?  
echunnAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
H'OH! Yep, I did get carried away... it is access-group, not access-list when applying it...

But this one.... I did mean to change the subnet mask to include all the other subnets that you have...
>you mean:
>static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

>not:
>static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                          ^^^^ I really did mean to change this to 255.255.0.0

Progress is always good!
0
 
lrmooreCommented:
compare this config to yours. I use a private IP space in the DMZ...

ip address outside 66.203.12.139 255.255.255.240
ip address inside 10.100.0.100 255.255.255.0
ip address dmz 192.168.100.1 255.255.255.0

access-list outside_in permit tcp any host 66.203.12.210 eq 80
access-list outside_in permit tcp any host 66.203.12.210 eq 443  <== if you need it
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
<== you will not be able to ping the web server without this, but it is optional:
access-list outside_in permit icmp any host 66.203.12.210 echo

global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.255.0  <== change to appropriate mask
nat (dmz) 5 192.168.100.0 255.255.255.0

<== next line will create a static rule that bypasses NAT between the inside and DMZ:
static (inside,dmz) 10.100.0.0 10.100.0.0 netmask 255.255.255.0  <== again, appropriate mask

<== static for DMZ Web server
static (dmz,outside) 66.203.12.210 192.168.100.210 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 66.203.12.138

<== you won't be able to ping the web server in the dmz until you create an acl specifically permitting it.
        I suggest you start out without this. Even though you can't ping it, you should be able to access the web page
access-list dmz_out permit icmp host 192.168.100.210 10.100.0.0 255.255.255.0
access-group dmz_out in interface dmz

0
 
echunnAuthor Commented:
After your suggestions I'm still unable to get to my webserver.  I'm also unable to get out to the internet.  From the internet I'm also unable to get to the server.  I'd like to share with you a detailed layout of the network, please email me at echunn@sbcglobal.net.

Here;s my current config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 66.234.131.210 eq www
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 66.234.131.210 echo
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.203.12.139 255.255.255.248
ip address inside 10.100.0.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_out in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
lrmooreCommented:
Remove this line:
   >access-group dmz_out in interface DMZ

Change this to match the mask on your inside interface:
   >static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
to
    static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0
                                                                                          ^^
Remove this line:
   >static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
Replace with this:
     static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255


0
 
echunnAuthor Commented:
Thanks for the quick reply!

Below is the config with your suggested modifications.  However I'm still not getting out from:

Ping from server 66.234.131.210 failed
Ping from PIX to server 66.234.131.210 success
Ping from PIX to next hop toward internet success
Ping from PIX to internet address failed
HTTP from the internet to 66.234.131.210 failed
Ping or HTTP from internal net 10.100.10.x fails
Ping from internet net to DMZ fails

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 66.234.131.210 eq www
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 66.234.131.210 echo
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_in permit icmp any any echo-reply
access-list dmz_in permit icmp any any unreachable
access-list dmz_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.203.12.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0
access-group outside_in in interface outside
access-group dmz_out in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Thoughts?

0
 
lrmooreCommented:
What is the subnet mask on your internet router Ethernet port?
What is the default gateway/mask settings on your server?
0
 
echunnAuthor Commented:
internet router
mask = 255.255.255.248

server
gw=66.234.131.209
mask= 255.255.255.248

0
 
echunnAuthor Commented:
Here's an update:  
From 10.100.10.2 i can get to the server 66.234.131.210
From this same system I'm unable to browse the internet
From the internet I cant get to the server.

From other systems on 10.100.10.x I can't get out to the internet nor the server.  DO i need static NAT for every system that needs access to the internet.  If so what is an example of that statement?
0
 
lrmooreCommented:
Some progress, right?
Does the Internet router have a route statement pointing to the PIX for that subnet;

   ip route 66.234.131.208 255.255.255.248 66.234.131.139

These two entries are all you need to browse the internet from inside:
   global (outside) 5 interface
   nat (inside) 5 10.100.0.0 255.255.0.0 0 0

Verify that the inside users' default gateway points to the pix 10.100.10.100

Doh! I think I see a problem:

given this:
   ip address inside 10.100.10.100 255.255.255.0

You can remove this:
    no static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0



0
 
echunnAuthor Commented:
Well the route wasnt in place....now that it is I can at least ping it (server) from my router.  Anything beyond my router on the public side doesnt work.

Getting out to the internet from 10.100.10.0 (specifically 10.100.10.2 and 60) still doesnt work.

Here's the latest:

.........
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
0
 
lrmooreCommented:
can you ping your router from the inside?
yes? Sounds like the ISP isn't routing properly to your 66.234.131.x subnet.

0
 
echunnAuthor Commented:
in your opionion do you think this config is valid?
0
 
lrmooreCommented:
Not now.

You can remove this completely:
   access-group inside_access_in in interface inside

The default is to permit all outbound traffic anyway..

You've changed some other things around, too:
>static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0  <=== ?? DMZ IP to inside host?
>static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0 <== OK
>static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0  <== ?? backward syntax

Now you're trying to nat a DMZ IP address to an inside host?
0
 
echunnAuthor Commented:
To summarize what needs to communicate to what.......The server needs to connect to internal IPs on 10.100.0.0 as well as systems on the internet.   As it stands right now I'm back to where I started.  The server is unable to communicate to the internal net as well as the internet.  I'll refrain from changing anything more until I get more suggestions from you.

access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact

0
 
echunnAuthor Commented:
The Good News:
SPoke to my ISP and sure enough they weren't routing the servers IP.   I can now connnect from the internet to the server.

The BAD News:
I'm unable to communicate from the server to my internal net as well as from my internal net to my server.  

Any suggestions?   .......I'm in the home-stretch!!
0
 
lrmooreCommented:
That is good news. I guess I was right.

Now. For internal net to server communications:

                           nat (inside) 5 10.100.0.0 255.255.0.0 0 0
Remove this ==> nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
Remove this ==> static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
                          static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
Remove this ==> static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

Remove this ==> access-group inside_access_in in interface inside

This is what you should end up with:

  global (outside) 5 interface
  nat (inside) 5 10.100.0.0 255.255.0.0 0 0
  static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
  static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

Next, for the server in the DMZ to talk to the internal network (if this server initiates the connection)
  access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
  access-list DMZ permit ip host 66.234.131.210 any
  access-list DMZ in interface DMZ

Once you get everything working, we can refine the DMZ access-list

0
 
echunnAuthor Commented:
From my internal net I can connect to my server and everywhere else.  However, my server still is unable to establish a connection to an internal system.
0
 
lrmooreCommented:
So, 2 out of 3 down?
can you post your current latest running config?

These three lines are the keys to making that work:
 static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0
  access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
   access-list DMZ in interface DMZ
0
 
echunnAuthor Commented:
Sure, here it is:
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password bSZmERppDxozfltT encrypted
passwd jBkDTusFb45REzoX encrypted
hostname MAGMA
domain-name MAGMA
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any host 66.234.131.210
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 66.234.131.210 eq www
access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.11.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.12.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.13.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.15.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.16.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 10.100.17.0 255.255.255.0
access-list DMZ permit ip host 66.234.131.210 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 66.234.131.139 255.255.255.248
ip address inside 10.100.10.100 255.255.255.0
ip address DMZ 66.234.131.209 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 10.100.0.0 255.255.0.0 0 0
static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:
0
 
lrmooreCommented:
You have to remove this. You cannot apply a static map to a public IP from an inside host to the DMZ subnet..  
   > static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0

If you have all those 10.100.x.0 subnets on the inside that you are trying to connect to, suggest :
  no static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
  static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                         ^^
You will also need a route to them on the PIX pointing to the inside router:
   route inside 10.100.0.0 255.255.0.0 10.100.10.??

And, don't forget to apply the DMZ Acl ( I don't see it in your posted config):
    access-list DMZ in interface DMZ

0
 
echunnAuthor Commented:
you mean:
access-group DMZ in interface DMZ

not:
access-list DMZ in interface DMZ

you mean:
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

not:
static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0

route inside 10.100.0.0 255.255.0.0 10.100.10.1

We're good to go now!  Excellent help, thank you very much!



0
 
echunnAuthor Commented:
One last thing.   To avoid having to set stactic routes on my router for the public IP of the server on my internal net, could I instead NAT to an IP routable on my internal net?  If so whats the correct syntax?
0
 
lrmooreCommented:
I don't follow you on that...
As long as the PIX is the default gateway for everything, it shouldn't matter...
Since you are not natting between the inside and the DMZ, nor from DMZ to outside, that's sort of an odd thing to need to do.
0
 
echunnAuthor Commented:
when i set my systems to use the PIX as the default gateway, I can't communicate to anything else on my 10.100.10.0 as well as my other networks, 10.100.13.x , 10.100.14.x etc.    even though I've got these route statments:

route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
route inside 10.100.0.0 255.255.0.0 10.100.10.1 1
route inside 10.100.15.0 255.255.255.0 10.100.10.1 1  
0
 
lrmooreCommented:
How about on your router, just point the default to the PIX, then use the router as your default.

  ip route 0.0.0.0 0.0.0.0 10.100.10.100

0
 
echunnAuthor Commented:
tried that to.  I seems like the routes on the PIX aren't even working....
0
 
lrmooreCommented:
They are, it's just that a PIX won't redirect like a router will...

The routes on the PIX are there to respond to clients, not to act as a router for inside client to get to another subnet. Is there another default route in the router?

0
 
echunnAuthor Commented:
the default route on my main core router feeds out to our MPLS network which fingers out to the other 10.100.x.x subnets.  

Here's the router route statements as it looks now:


ip route 0.0.0.0 0.0.0.0 10.100.10.100
ip route 66.234.131.210 255.255.255.255 10.100.10.100

Before:

ip route 0.0.0.0 0.0.0.0 192.168.100.57
ip route 66.234.131.210 255.255.255.255 10.100.10.100
0
 
echunnAuthor Commented:
so to answer your question, no their are no other default routes
0
 
lrmooreCommented:
sounds like you still have a simple routing issue..
what routing protocol are you using? You can enable OSPF between this router and the PIX..If you decide that you want to do that, post another question and we can work on that separately.

Aren't you using bgp to the MPls network?
0
 
echunnAuthor Commented:
I'm running BGP.  Spoke to my ISP and the routes are now updated and everything is working.  Case closed !  Thanks for your patience and help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.