[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 297
  • Last Modified:

Pix 506 Firewall Routhing Problem

I have a Pix firewall running my Class B network. I also have a Pt to Pt T1 that has routers on both ends. i can talk all the way to the pix from both sides of the t1 but i cannot access any network resources on the pix and no.1 router side of things... HELP
0
epipkin
Asked:
epipkin
1 Solution
 
MikeKaneCommented:
What subnets are you running on each segment?  


what subnet <-> pix<-> what subnet <-> router <--- T1's---> router <-> what subnet <-> pix <-> what subnet.  


This is probably just a simple routing or access list issue.    

0
 
epipkinAuthor Commented:
PIx Config =



name 192.168.1.0 trilakesmc
name 70.150.145.34 dsm
name 192.168.1.67 telerad2
name 192.168.1.66 telerad1
name 70.150.17.93 telerad1nat
name 70.150.17.94 telerad2nat
name 192.168.19.0 csi
name 10.10.11.0 pediatrics
name 192.168.51.0 dsm-vpn
name 63.239.162.4 philips
name 192.168.20.6 philips1
name 192.68.48.0 Philips2
name 192.168.0.0 DSM
name 10.19.0.0 west-campus
name 10.18.0.0 maincampus
object-group network telerad
  description teleradiology machines
  network-object telerad1 255.255.255.255
  network-object telerad2 255.255.255.255
object-group service teleradiology tcp
  description telerad ports
  port-object range 2000 2003
  port-object eq 2011
object-group network PHNS_BTR_NETS
  description PHNS Server Networks in Baton Rouge
  network-object 10.2.0.0 255.255.0.0
  network-object 10.11.0.0 255.255.0.0
  network-object 172.16.32.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.4.0 255.
255.255.0
access-list inside_outbound_nat0_acl permit ip trilakesmc 255.255.255.0 192.168.
4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip trilakesmc 255.255.255.0 pediatri
cs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip maincampus 255.255.0.0 DSM 255.25
5.255.0
access-list inside_outbound_nat0_acl permit ip maincampus 255.255.0.0 192.168.4.
0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.18.21.0 255.255.255.0 csi 255.
255.255.0
access-list inside_outbound_nat0_acl permit ip host philips1 Philips2 255.255.25
2.0
access-list outside_cryptomap_20 permit ip maincampus 255.255.0.0 DSM 255.255.25
5.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.0 255.255.255.0
access-list outside_access_in permit tcp any host 70.150.17.90 eq 993
access-list outside_access_in permit tcp any host 70.150.17.90 eq pptp
access-list outside_access_in permit tcp any host 70.150.17.90 eq 81
access-list outside_access_in permit tcp any host 70.150.17.90 eq https
access-list outside_access_in permit tcp any host 70.150.17.90 eq www
access-list outside_access_in permit tcp any host 70.150.17.90 eq smtp
access-list outside_access_in permit ip any host 70.150.17.86
access-list outside_access_in permit ip any host 70.150.17.85
access-list outside_access_in permit tcp any host 70.150.17.88 eq telnet
access-list outside_access_in permit tcp any host 70.150.17.90 eq ssh
access-list outside_access_in permit ip any host 70.150.17.89
access-list outside_access_in permit tcp any host 70.150.17.90 eq ftp
access-list outside_access_in permit ip any host 70.150.17.91
access-list outside_access_in permit ip any host 70.150.17.92
access-list outside_access_in permit ip any host telerad1nat
access-list outside_access_in permit ip any host telerad2nat
access-list outside_cryptomap_dyn_20_1 permit ip trilakesmc 255.255.255.0 192.16
8.4.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_60 permit ip maincampus 255.255.0.0 csi 255.255.25
5.0
access-list outside_cryptomap_dyn_60 permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_dyn_80 permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_80 permit ip trilakesmc 255.255.255.0 pediatrics 2
55.255.255.0
access-list outside_cryptomap_dyn_90 permit ip any 192.168.4.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host philips1 Philips2 255.255.252.0

pager lines 24
logging on
logging monitor debugging
logging buffered debugging
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 70.150.17.66 255.255.255.224
ip address inside 10.18.254.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 192.168.4.1-192.168.4.254
pdm location maincampus 255.255.0.0 inside
pdm group telerad inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 70.150.17.90 10.18.18.3 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.86 192.168.6.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.85 192.168.1.61 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.88 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.89 philips1 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.91 10.18.20.39 netmask 255.255.255.255 0 0
static (inside,outside) 70.150.17.92 10.18.20.40 netmask 255.255.255.255 0 0
static (inside,outside) telerad1nat 10.18.20.100 netmask 255.255.255.255 0 0
static (inside,outside) telerad2nat 10.18.20.101 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 74.165.166.193 1
route inside west-campus 255.255.0.0 10.18.18.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute











Router Here in same facility with pix  = !
!
no ip dhcp use vrf connected
!
!
ip domain name trilakesmc.com
!
username edward privilege 15 secret 5 $1$.FJC$wjO8XiBw7J4pRkgZtGHel0
username bthornton privilege 15 secret 5 $1$.Flj$yw3/1067Bz6V5MxVaZqdA0
!
!
!
interface FastEthernet0/0
 description $FW_INSIDE$$INTF-INFO-FE 0$$ETH-LAN$
 ip address 10.18.18.2 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 speed 100
 full-duplex
!
interface Serial0/0/0
 description $FW_OUTSIDE$
 ip address 172.16.43.1 255.255.255.0
 encapsulation ppp
!
ip classless
ip forward-protocol udp 3389
ip route 0.0.0.0 0.0.0.0 10.18.254.1
ip route 10.19.0.0 255.255.0.0 172.16.43.2
ip route 192.168.4.0 255.255.255.0 192.168.1.30
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000






router at other end of T1  =

ip domain name trilakesmc.com
ip name-server 10.18.18.3
ip dhcp-server 10.18.18.3
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
 description LAN where dhcp clients live
 ip address 10.19.0.1 255.255.0.0
 ip helper-address 10.18.18.3
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description $FW_OUTSIDE$
 ip address 172.16.43.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.43.1
ip http server
ip http authentication local
!





HELP please

0
 
shareditCommented:
what is the default gateway of your site one computers set to? Hopefully it is the router becaue a pix will not route traffic back into the network.

I am still not clear on what exactly is not happening what does talk mean?

If you are saying your computers at site 2 cannot ping computers/server at site one the gateway being set to the pix at site one would cause you that problem. The pix doesnt route traffic back out the same interface it came in on. your router will need to be the default gateway, that way it can determine weather traffic is sent across the t1 or forwarded to the pix as unknown traffic.

Just a guess.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now