taccomp
asked on
PIX connectivity problem
Thanks to previous help on this web site, I had my PIX working fine on a test network. I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned. Our assigned public IP subnet is 192.168.200.64/26 with 62 host IPs. The ISP router is assigned 192.168.200.66/26.
As previously recommended on the exchange, I had set up the PIX:
ip address outside 192.168.200.65 255.255.255.224
ip address inside 192.168.200.97 255.255.255.224
route outside 0.0.0.0 0.0.0.0 192.168.200.66
static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224
After these changes my test network worked fine, e.g., I could use services like ssh and http from a workstation on the inside and connect to a server on the other side of the Internet test router with no problem.
However, when I connected the same firewall to our production network (replacing the our current 3745 router/switch with the PIX), there was no connectivity between the ISP 3745 router (on-site, but remotely managed) and my PIX. I could not ping the ISP router from the PIX, nor could the workstations connect to the outside using services such as http. We asked the ISP to do a clear ARP on their router, thinking it might be trying to resolve the MAC of the replaced 3745. They claim they did, but it did no good.
Strangely, when we removed the PIX and reconnected our 3745, our workstations had connectivity to the Internet, but we still could not ping the ISP 3745 from our 3745 though we could before installing the PIX.
I then connected the PIX back to the test network, and everything functioned fine. Does this sound like a problem in my PIX config or in the ISP router?
CURRENT NETWORK
-----------------
Catalyst 3745| (Remotely managed with IDS connected to switch)
router/switch|
-----------------
| 192.168.200.66/26
|
eth0 | 192.168.200.65/29
----------------
Catalyst 3745| (In-house managed)
router/switch|
-----------------
|
wksta
TARGET NETWORK
-----------------
Catalyst 3745| (Remotely managed)
router/switch|
-----------------
| 192.168.200.66/26
|
eth0 | 192.168.200.65/27
---------
PIX| (In-house managed)
----------
eth1 | 192.168.200.97/27
|
switch
|
| 192.168.200.109/27
--------------
Workstation|
---------------
As previously recommended on the exchange, I had set up the PIX:
ip address outside 192.168.200.65 255.255.255.224
ip address inside 192.168.200.97 255.255.255.224
route outside 0.0.0.0 0.0.0.0 192.168.200.66
static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224
After these changes my test network worked fine, e.g., I could use services like ssh and http from a workstation on the inside and connect to a server on the other side of the Internet test router with no problem.
However, when I connected the same firewall to our production network (replacing the our current 3745 router/switch with the PIX), there was no connectivity between the ISP 3745 router (on-site, but remotely managed) and my PIX. I could not ping the ISP router from the PIX, nor could the workstations connect to the outside using services such as http. We asked the ISP to do a clear ARP on their router, thinking it might be trying to resolve the MAC of the replaced 3745. They claim they did, but it did no good.
Strangely, when we removed the PIX and reconnected our 3745, our workstations had connectivity to the Internet, but we still could not ping the ISP 3745 from our 3745 though we could before installing the PIX.
I then connected the PIX back to the test network, and everything functioned fine. Does this sound like a problem in my PIX config or in the ISP router?
CURRENT NETWORK
-----------------
Catalyst 3745| (Remotely managed with IDS connected to switch)
router/switch|
-----------------
| 192.168.200.66/26
|
eth0 | 192.168.200.65/29
----------------
Catalyst 3745| (In-house managed)
router/switch|
-----------------
|
wksta
TARGET NETWORK
-----------------
Catalyst 3745| (Remotely managed)
router/switch|
-----------------
| 192.168.200.66/26
|
eth0 | 192.168.200.65/27
---------
PIX| (In-house managed)
----------
eth1 | 192.168.200.97/27
|
switch
|
| 192.168.200.109/27
--------------
Workstation|
---------------
Keith Alabaster
if you are on a /26 subnet, should you not be using 255.255.255.192?
ASKER
I am on a .192 subnet outside the firewall. However, if I need to create additional subnets inside the firewall using the same IPs, it is my understanding that I need to futher divide the subnet I am assigned.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My problem appears to have been resolved. When my ISP did a clear arp-cache yesterday and I then waited about 30 minutes, my workstations on the Inside .224 network had connectivity to the Internet.
Had some other problems with hosts on my DMZ interface, but the inside-to-outside connections were working. I'm back on original non-PIX network until I can resolve the DMZ issues.
If someone can answer these connectivity questions, I'll give you the credit for the answer.
1. Does the PIX have the equivalent of an ARP cache that resolves a MAC address to an IP? If so, how do you clear it?
2. Should the following PIX config work?
ISP subnet assigned = 192.168.200.64 255.255.255.192 (hosts 65-126)
ISP router gateway IP = 192.168.200.66
PIX ip address outside 192.168.200.65 255.255.255.240 (hosts 65-78)
PIX ip address inside 192.168.200.97 255.255.255.224 (hosts 97-126)
PIX ip address dmz 192.168.200.81 255.255.255.240 (hosts 81-94)
PIX route outside 0.0.0.0 0.0.0.0 192.168.200.66
PIX static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224
PIX static (dmz,outside) 192.168.200.80 192.168.200.80 netmask 255.255.255.240
3. If so, what would be the effect if a host in the dmz subnet had the correct host ID (e.g., 87), but the host was configured with a .192 versus a .240 subnet mask? I'm trying to get a better understanding of subnetting on the PIX.
Had some other problems with hosts on my DMZ interface, but the inside-to-outside connections were working. I'm back on original non-PIX network until I can resolve the DMZ issues.
If someone can answer these connectivity questions, I'll give you the credit for the answer.
1. Does the PIX have the equivalent of an ARP cache that resolves a MAC address to an IP? If so, how do you clear it?
2. Should the following PIX config work?
ISP subnet assigned = 192.168.200.64 255.255.255.192 (hosts 65-126)
ISP router gateway IP = 192.168.200.66
PIX ip address outside 192.168.200.65 255.255.255.240 (hosts 65-78)
PIX ip address inside 192.168.200.97 255.255.255.224 (hosts 97-126)
PIX ip address dmz 192.168.200.81 255.255.255.240 (hosts 81-94)
PIX route outside 0.0.0.0 0.0.0.0 192.168.200.66
PIX static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224
PIX static (dmz,outside) 192.168.200.80 192.168.200.80 netmask 255.255.255.240
3. If so, what would be the effect if a host in the dmz subnet had the correct host ID (e.g., 87), but the host was configured with a .192 versus a .240 subnet mask? I'm trying to get a better understanding of subnetting on the PIX.
ASKER
#1. Found it. clear arp. Does it happen immediately, are is there something still buffered in memory that requires waiting for a set length of time for it to be effective?
ASKER
No answers so I'll assume everyone gave up on this one and give points to the only person who replied to original question.
Thanks. Didn't give up but hadn't got round to replying yet. For that I apologise; we do try to be timely in our replies to asker's comments. :(