Solved

Cisco PIX Routing issue

Posted on 2013-02-07
7
414 Views
Last Modified: 2013-03-05
HI

I have a CISCO PIX as a Primary firewall with an address of 192.168.1.254 and second firewall (netscreen) is on the same subnet of 192.168.1.250 connected to router which is connected to another country via LEASE line - where the servers are residing, with the following address - 195.168.1.100.

I can ping the 195.168.1.100 address from CISCO PIX which has a routing command -

Route Inside 195.168.1.100 255.255.255.255 192.168.1.250

However I cannot ping the 195 address from the PCs (with the gateway of the primary PX 192.168.1.254) unless I add a persistent route to the firewall 250.

I have also added the following line in the access-list of the inside interface
access-list acl_in permit tcp any host 195.168.1.100 but still cannot ping.

The tracert to 195.168.1.100  gives astrix

Can anyone suggest why the PIX is not routing the pings from PCs?

Regards
0
Comment
Question by:yaminz66
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38864516
Well, the PIX is a firewall and not a router (but you know that of course :)
Is there any reason why you want the traffic to go via the PIX and not directly to the netscreen (by using a manually or DHCP added route)?

B.t.w. I added some topics to you query to draw some more attention.
0
 

Author Comment

by:yaminz66
ID: 38864580
HI

Well the PIX was doing that earlier with a another Netscreen Firewall and this is what the router command is supposed to do.

At the moment relying on adding persistent route to each PC is a bit risky as it can lose that information. Hence, if the PIX was also routing, it give good redundency.

Regards
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 500 total points
ID: 38871221
Add the command same-security-traffic permit intra-interface on the PIX.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:yaminz66
ID: 38879656
Hi

Thanks for the response MAG03 -

I tried adding the command but failed. My CISCO does not accept it because it was introduced in CISCO IOS version 7.0, whereas I have 6.3.

So I am not sure what else I can do now.

regards
0
 

Author Comment

by:yaminz66
ID: 38879758
Hi

I had an idea. At the moment I am adding to the static routes to the local routing table, using the command -

router - p add destination .. gateway

The persistent route is kept on the machine's registry.  

Is there a way to add static routes to a host file? That would give me additional assurance in case the persistent routes in the registry got corrupted or deleted.

Regards
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 38900796
Hi,

This is not related to PIX but is related to default gateway you are assigning you can assign default gateway on PC as 195.168.1.100 instead of 192.168.1.254 as the gateway assigned not gateway but firewall IP address.Once assign 195.168.1.100 as gateway to PC and check from your end and Tracert command should give you Exclamation Marks (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) instead of asterix (********) .Exclamation means successful configuration and Asterix means unsuccessful configuration .
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 38902829
Options you have to get this working are, as you mentioned add a persistant route to all the hosts, upgrade to ASA 8.2 or higher, or replace the PIX with a router.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now