Solved

Cisco PIX Routing issue

Posted on 2013-02-07
7
425 Views
Last Modified: 2013-03-05
HI

I have a CISCO PIX as a Primary firewall with an address of 192.168.1.254 and second firewall (netscreen) is on the same subnet of 192.168.1.250 connected to router which is connected to another country via LEASE line - where the servers are residing, with the following address - 195.168.1.100.

I can ping the 195.168.1.100 address from CISCO PIX which has a routing command -

Route Inside 195.168.1.100 255.255.255.255 192.168.1.250

However I cannot ping the 195 address from the PCs (with the gateway of the primary PX 192.168.1.254) unless I add a persistent route to the firewall 250.

I have also added the following line in the access-list of the inside interface
access-list acl_in permit tcp any host 195.168.1.100 but still cannot ping.

The tracert to 195.168.1.100  gives astrix

Can anyone suggest why the PIX is not routing the pings from PCs?

Regards
0
Comment
Question by:yaminz66
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38864516
Well, the PIX is a firewall and not a router (but you know that of course :)
Is there any reason why you want the traffic to go via the PIX and not directly to the netscreen (by using a manually or DHCP added route)?

B.t.w. I added some topics to you query to draw some more attention.
0
 

Author Comment

by:yaminz66
ID: 38864580
HI

Well the PIX was doing that earlier with a another Netscreen Firewall and this is what the router command is supposed to do.

At the moment relying on adding persistent route to each PC is a bit risky as it can lose that information. Hence, if the PIX was also routing, it give good redundency.

Regards
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 500 total points
ID: 38871221
Add the command same-security-traffic permit intra-interface on the PIX.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:yaminz66
ID: 38879656
Hi

Thanks for the response MAG03 -

I tried adding the command but failed. My CISCO does not accept it because it was introduced in CISCO IOS version 7.0, whereas I have 6.3.

So I am not sure what else I can do now.

regards
0
 

Author Comment

by:yaminz66
ID: 38879758
Hi

I had an idea. At the moment I am adding to the static routes to the local routing table, using the command -

router - p add destination .. gateway

The persistent route is kept on the machine's registry.  

Is there a way to add static routes to a host file? That would give me additional assurance in case the persistent routes in the registry got corrupted or deleted.

Regards
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38900796
Hi,

This is not related to PIX but is related to default gateway you are assigning you can assign default gateway on PC as 195.168.1.100 instead of 192.168.1.254 as the gateway assigned not gateway but firewall IP address.Once assign 195.168.1.100 as gateway to PC and check from your end and Tracert command should give you Exclamation Marks (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) instead of asterix (********) .Exclamation means successful configuration and Asterix means unsuccessful configuration .
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 38902829
Options you have to get this working are, as you mentioned add a persistant route to all the hosts, upgrade to ASA 8.2 or higher, or replace the PIX with a router.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port status messages not appearing in console 11 59
SSL-VPN 1 91
Cisco ASA 5505 firewall open port 4 56
Watching Inbound/Outbound Traffic on Server 4 28
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question