Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX connectivity problem

Posted on 2006-04-27
7
Medium Priority
?
302 Views
Last Modified: 2013-11-16
Thanks to previous help on this web site, I had my PIX working fine on a test network.  I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned. Our assigned public IP subnet is 192.168.200.64/26 with 62 host IPs.   The ISP router is assigned 192.168.200.66/26.

As previously recommended on the exchange, I had set up the PIX:
ip address outside 192.168.200.65 255.255.255.224
ip address inside 192.168.200.97 255.255.255.224
route outside 0.0.0.0 0.0.0.0 192.168.200.66
static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224

After these changes my test network worked fine, e.g., I could use services like ssh and http from a workstation on the inside and connect to a  server on the other side of the Internet test router with no problem.

However, when I connected the same firewall to our production network (replacing the our current 3745 router/switch with the PIX), there was no connectivity between the ISP 3745 router (on-site, but remotely managed) and my PIX.  I could not ping the ISP router from the PIX, nor could the workstations connect to the outside using services such as http.  We asked the ISP to do a clear ARP on their router, thinking it might be trying to resolve the MAC of the replaced 3745.  They claim they did, but it did no good.

Strangely, when we removed the PIX and reconnected our 3745, our workstations had connectivity to the Internet, but we still could not ping the ISP 3745 from our 3745 though we could before installing the PIX.

I then connected the PIX back to the test network, and everything functioned fine.  Does this sound like a problem in my PIX config or in the ISP router?

CURRENT NETWORK
-----------------
Catalyst 3745| (Remotely managed with IDS connected to switch)
 router/switch|
-----------------
         |   192.168.200.66/26
         |
eth0   |  192.168.200.65/29
----------------
Catalyst 3745|  (In-house managed)
 router/switch|
-----------------
|                        
wksta    


TARGET NETWORK
-----------------
Catalyst 3745|  (Remotely managed)
 router/switch|
-----------------
         |   192.168.200.66/26
         |
eth0   |  192.168.200.65/27
---------
      PIX|  (In-house managed)
----------
 eth1   |   192.168.200.97/27
           |
       switch
           |
           |   192.168.200.109/27
--------------
Workstation|
---------------
0
Comment
Question by:taccomp
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16557855
if you are on a /26 subnet, should you not be using 255.255.255.192?

0
 

Author Comment

by:taccomp
ID: 16558302
I am on a .192 subnet outside the firewall.  However, if I need to create additional subnets inside the firewall using the same IPs, it is my understanding that I need to futher divide the subnet I am assigned.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 16564465
OK, your external interface on the PIX was on a /27 (.224) address so I've obviously misread your explanation.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:taccomp
ID: 16569584
My problem appears to have been resolved.  When my ISP did a clear arp-cache yesterday and I then waited about 30 minutes, my workstations on the Inside .224 network had connectivity to the Internet.

Had some other problems with hosts on my DMZ interface, but the inside-to-outside connections were working.  I'm back on original non-PIX network until I can resolve the DMZ issues.

If someone can answer these connectivity questions, I'll give you the credit for the answer.

1.  Does the PIX have the equivalent of an ARP cache that resolves a MAC address to an IP?  If so, how do you clear it?

2.  Should the following PIX config work?

ISP subnet assigned = 192.168.200.64 255.255.255.192 (hosts 65-126)
ISP router gateway IP = 192.168.200.66

PIX ip address outside 192.168.200.65 255.255.255.240 (hosts 65-78)
PIX ip address inside 192.168.200.97 255.255.255.224  (hosts 97-126)
PIX ip address dmz 192.168.200.81 255.255.255.240  (hosts 81-94)
PIX route outside 0.0.0.0 0.0.0.0 192.168.200.66
PIX static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224
PIX static (dmz,outside) 192.168.200.80 192.168.200.80 netmask 255.255.255.240

3.  If so, what would be the effect if a host in the dmz subnet had the correct host ID (e.g., 87), but the host was configured with a .192 versus a .240 subnet mask?  I'm trying to get a better understanding of subnetting on the PIX.
0
 

Author Comment

by:taccomp
ID: 16569810
#1.  Found it.  clear arp.  Does it happen immediately, are is there something still buffered in memory that requires waiting for a set length of time for it to be effective?

0
 

Author Comment

by:taccomp
ID: 16579637
No answers so I'll assume everyone gave up on this one and give points to the only person who replied to original question.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16579724
Thanks. Didn't give up but hadn't got round to replying yet. For that I apologise; we do try to be timely in our replies to asker's comments. :(
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question