Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   To reboot the PIX or not reboot - that is the question (http://www.velocityreviews.com/forums/t56690-to-reboot-the-pix-or-not-reboot-that-is-the-question.html)

Darren Green 03-14-2006 10:16 PM

To reboot the PIX or not reboot - that is the question
 
All,

I have a head scratcher, brief details and topology:


DMZ - 172.18.1.0
/
PIX 515 6.3(4) --outside X.X.X.X
/
inside
192.168.X.X + other networks

On the inside of the PIX I have various route statements to several
networks. One of these is 172.31.0.0/16.

I use my DMZ router 172.18.1.X to connect to a number of other routers
(via the outside interface of the PIX). These routers sit behind a
Concentrator and use Loopback addresses in range 172.31.233.0/24.

The traffic off the DMZ in no-nated.

My problem, I am simply getting no hits on either my no-nat list or
accompanying access-list on the PIX.

e.g.

access-list nonat permit ip 172.18.1.0 255.255.255.0 172.31.233.0
255.255.255.0

access-list blah permit ip 172.18.1.0 255.255.255.0 172.31.233.0
255.255.255.0

There is a default route on the PIX pointing to the outside router.
Talking to my colleague he seems to think the PIX will be forwarding my
172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
sure that the PIX wouldn't, either way, I cannot understand why I have
not hits in my no-nat etc.

The above access-list & nonat entries are just 'tagged on additions' to
the bottom of pre-configured working lists.

Anyone have any suggestions ?

Regards

Darren
------




Walter Roberson 03-14-2006 10:59 PM

Re: To reboot the PIX or not reboot - that is the question
 
In article <dv7fbk$hp5$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com>,
Darren Green <darrenfgreen@XnospamXbtopenworld.com> wrote:
>PIX 515 6.3(4)


>I use my DMZ router 172.18.1.X to connect to a number of other routers
>(via the outside interface of the PIX). These routers sit behind a
>Concentrator and use Loopback addresses in range 172.31.233.0/24.


>There is a default route on the PIX pointing to the outside router.
>Talking to my colleague he seems to think the PIX will be forwarding my
>172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
>sure that the PIX wouldn't,


He is correct.

>either way, I cannot understand why I have
>not hits in my no-nat etc.


Traffic from the inside to 172.31.233/24 is going to hit the inside
interface; the PIX would see that the route is through the inside
interface, and would promptly drop the packet -before- looking at
any access lists.

You can create a route for 172.31.233/24 specifically, while still
keeping your 172.31/16 route. The PIX uses "best match" routing,
so traffic to 172.31.233/24 would match the specific route
and traffic to any other 172.31/16 would use the 172.31/16
route (or get dropped, if the route would have it go back out the
same interface it came in.)


All times are GMT. The time now is 08:10 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.