PIX inside to outside subnet problem
Posted on 2006-04-24
I am having a problem setting up the inside-to-outside connection on a PIX-515 with 3 interfaces - inside, outside, and DMZ. We are using a test network prior to implementation.
I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned. Our assigned public IP subnet is 192.168.200.64/255.255.255.192 with 62 host IPs. The ISP router is assigned .66. I assigned .65 to the PIX outside interface. I set up a static outside route 0.0.0.0 gateway 192.168.200.66.
Our publicly accessible servers in the DMZ off the firewall use a private IP net (192.168.100.0/24). I set the 6 current DMZ servers to static NAT to 6 of the the public IPs assigned at the firewall (192.168.200.82 - .87), and I provided access rules to allow desired services (SSH, HTTP, etc.) This interface appears to be working ok.
I am not allowed to set up the inside interface as a private IP net and NAT (long story), so I set up the network on the PIX Inside interface as subnet 192.168.200.96/ 255.255.255.224 which has an allowable host IP range of 97-126. I assigned the PIX inside port as .97.
I was under the assumption the PIX would allow traffic to flow from a higher (inside) interface to a lower (Outside) interface as long as there were access rules or translation rules in place.
When I look at the translation rules, there is already a default to use the same original address for inside to outside interface. This seemed ok since the inside subnet is a further division of the assigned public Class C subnet.
However, from an inside workstation, I cannot access any system on the outside interface (same test systems I can access from the DMZ using NAT), even when I establish a specific access rule for the service I desire (e.g., SSH). Help.