Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco PIX Routing issue

Posted on 2013-02-07
7
Medium Priority
?
431 Views
Last Modified: 2013-03-05
HI

I have a CISCO PIX as a Primary firewall with an address of 192.168.1.254 and second firewall (netscreen) is on the same subnet of 192.168.1.250 connected to router which is connected to another country via LEASE line - where the servers are residing, with the following address - 195.168.1.100.

I can ping the 195.168.1.100 address from CISCO PIX which has a routing command -

Route Inside 195.168.1.100 255.255.255.255 192.168.1.250

However I cannot ping the 195 address from the PCs (with the gateway of the primary PX 192.168.1.254) unless I add a persistent route to the firewall 250.

I have also added the following line in the access-list of the inside interface
access-list acl_in permit tcp any host 195.168.1.100 but still cannot ping.

The tracert to 195.168.1.100  gives astrix

Can anyone suggest why the PIX is not routing the pings from PCs?

Regards
0
Comment
Question by:yaminz66
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38864516
Well, the PIX is a firewall and not a router (but you know that of course :)
Is there any reason why you want the traffic to go via the PIX and not directly to the netscreen (by using a manually or DHCP added route)?

B.t.w. I added some topics to you query to draw some more attention.
0
 

Author Comment

by:yaminz66
ID: 38864580
HI

Well the PIX was doing that earlier with a another Netscreen Firewall and this is what the router command is supposed to do.

At the moment relying on adding persistent route to each PC is a bit risky as it can lose that information. Hence, if the PIX was also routing, it give good redundency.

Regards
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 2000 total points
ID: 38871221
Add the command same-security-traffic permit intra-interface on the PIX.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:yaminz66
ID: 38879656
Hi

Thanks for the response MAG03 -

I tried adding the command but failed. My CISCO does not accept it because it was introduced in CISCO IOS version 7.0, whereas I have 6.3.

So I am not sure what else I can do now.

regards
0
 

Author Comment

by:yaminz66
ID: 38879758
Hi

I had an idea. At the moment I am adding to the static routes to the local routing table, using the command -

router - p add destination .. gateway

The persistent route is kept on the machine's registry.  

Is there a way to add static routes to a host file? That would give me additional assurance in case the persistent routes in the registry got corrupted or deleted.

Regards
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38900796
Hi,

This is not related to PIX but is related to default gateway you are assigning you can assign default gateway on PC as 195.168.1.100 instead of 192.168.1.254 as the gateway assigned not gateway but firewall IP address.Once assign 195.168.1.100 as gateway to PC and check from your end and Tracert command should give you Exclamation Marks (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) instead of asterix (********) .Exclamation means successful configuration and Asterix means unsuccessful configuration .
0
 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 2000 total points
ID: 38902829
Options you have to get this working are, as you mentioned add a persistant route to all the hosts, upgrade to ASA 8.2 or higher, or replace the PIX with a router.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What You Need to Know when Searching for a Webhost Provider
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question