Pix access to other pix on same network
Posted on 2005-03-22
I have a client with a pix issue that asked for some help - thought I'd bounce the situation here and see if anyone might be able to shed some light.
He is currently running a pix in front of his internal network, and recently added another pix to handle securing his web servers.
PIX 1 PIX 2
Internal Network Web Servers
(external ip) (2 external ips, 1 for pix and
1 static nat'd to server)
Both PIX's have external IPs are on the same network - the web server uses another ip static nat'd to the internal address.
Here's the situation : Up to this point, with an older firewall, users behind pix 1 were able to view the websites on the web server behind older firewall. Now, after installation of pix 2, outside users in front of the T1 Router can see the sites, but the internals behind pix 1 cannot.
He can ping the eth0 device address of pix2 from behind pix1, but CANNOT ping the other external ip address static natd behind pix2.
My first guess is that the users behind pix1, when resolving the urls, do not make it out thru the t1 router and back, and are heading directly thru the switch to pix2, which is not allowing translation from those addresses it sees as local.
The question - his users must be able to view the sites behind pix 2 for business purposes - is there a rule that should be set up to allow this, or, do you have any suggestions on how this might be possible?
Hope this made sense. Thanks in advance for any assistance :)