Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX506 and second internal network

Reply
Thread Tools

PIX506 and second internal network

 
 
Agile.Aspect@gmail.com
Guest
Posts: n/a
 
      06-21-2007
Hi - we'd like to add an internal subnet to our exiting LAN using
a dump home router.

And I'm new to the PIX506.

The default route for the LAN is the PIX506 (192.x.1.1.)

In short, I'd like to change this

Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)

to this

Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb

router

|

|

(192.168.2.0/24)

I was able to add a route with the route command

route inside 192.168.2.0 255.255.255.0 192.168.1.254 2

I can

(1) ping the PIX506 firewall from a machine on the new subnet
(192.168.2.10)
(2) ping the dumb router from the PIX506
(3) ping a host on the new subnet (192.168.2.10) from the PIX506

but I can't ping any other host on the 192.168.1.x subnet from the
192.168.2.x subnet
(nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
subnet other than
from the PIX506.)

When I try to ping a host on the 192.168.1.x subnet from the
192.168.2.x subnet, the
PIX506 logs the following error message

Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
inside:192.168.2.10 (type 0, code 0)

The OS version on the PIX506 is 6.3(3).

And needless to say, routing isn't working correctly.

-- Ken

 
Reply With Quote
 
 
 
 
Chris
Guest
Posts: n/a
 
      06-21-2007
On Thu, 21 Jun 2007 20:26:50 -0000, http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> Hi - we'd like to add an internal subnet to our exiting LAN using
> a dump home router.
>
> And I'm new to the PIX506.
>
> The default route for the LAN is the PIX506 (192.x.1.1.)
>
> In short, I'd like to change this
>
> Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)
>
> to this
>
> Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb
>
> router
>
>|
>
>|
>
> (192.168.2.0/24)
>
> I was able to add a route with the route command
>
> route inside 192.168.2.0 255.255.255.0 192.168.1.254 2
>
> I can
>
> (1) ping the PIX506 firewall from a machine on the new subnet
> (192.168.2.10)
> (2) ping the dumb router from the PIX506
> (3) ping a host on the new subnet (192.168.2.10) from the PIX506
>
> but I can't ping any other host on the 192.168.1.x subnet from the
> 192.168.2.x subnet
> (nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
> subnet other than
> from the PIX506.)
>
> When I try to ping a host on the 192.168.1.x subnet from the
> 192.168.2.x subnet, the
> PIX506 logs the following error message
>
> Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
> Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
> inside:192.168.2.10 (type 0, code 0)
>
> The OS version on the PIX506 is 6.3(3).
>
> And needless to say, routing isn't working correctly.
>
> -- Ken


You can't do this with a pix. The pix isn't a router so you can't route
traffic from one network on the lan interface and have the pix route that
traffic back out the same lan interface to another router, ie. route on a
stick.

In this situation the best thing would be to install a persistent route on
the clients to route to the second network via the router and not use the
pix as a gateway.

Chris.
 
Reply With Quote
 
 
 
 
dman1973
Guest
Posts: n/a
 
      06-22-2007
On Jun 21, 5:59 pm, Chris <(E-Mail Removed)> wrote:
> On Thu, 21 Jun 2007 20:26:50 -0000, (E-Mail Removed) wrote:
> > Hi - we'd like to add an internal subnet to our exiting LAN using
> > a dump home router.

>
> > And I'm new to the PIX506.

>
> > The default route for the LAN is the PIX506 (192.x.1.1.)

>
> > In short, I'd like to change this

>
> > Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)

>
> > to this

>
> > Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb

>
> > router

>
> >|

>
> >|

>
> > (192.168.2.0/24)

>
> > I was able to add a route with the route command

>
> > route inside 192.168.2.0 255.255.255.0 192.168.1.254 2

>
> > I can

>
> > (1) ping the PIX506 firewall from a machine on the new subnet
> > (192.168.2.10)
> > (2) ping the dumb router from the PIX506
> > (3) ping a host on the new subnet (192.168.2.10) from the PIX506

>
> > but I can't ping any other host on the 192.168.1.x subnet from the
> > 192.168.2.x subnet
> > (nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
> > subnet other than
> > from the PIX506.)

>
> > When I try to ping a host on the 192.168.1.x subnet from the
> > 192.168.2.x subnet, the
> > PIX506 logs the following error message

>
> > Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
> > Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
> > inside:192.168.2.10 (type 0, code 0)

>
> > The OS version on the PIX506 is 6.3(3).

>
> > And needless to say, routing isn't working correctly.

>
> > -- Ken

>
> You can't do this with a pix. The pix isn't a router so you can't route
> traffic from one network on the lan interface and have the pix route that
> traffic back out the same lan interface to another router, ie. route on a
> stick.
>
> In this situation the best thing would be to install a persistent route on
> the clients to route to the second network via the router and not use the
> pix as a gateway.
>
> Chris.


Maybe I don't understand your topology. You can probably get away
with static routes on your 2nd router and everywhere else. Also, the
higher end PIXs can run OSPF and RIP, but that's probably not
advisable. Again, I'm not sure if I understand your topology
correctly, and I don't know how many interfaces is on your PIX 506.

-Dan
http://ccie-lounge.blogspot.com

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      06-22-2007
In article <(E-Mail Removed) om>,
(E-Mail Removed) <(E-Mail Removed)> wrote:
>Hi - we'd like to add an internal subnet to our exiting LAN using
>a dump home router.


>The OS version on the PIX506 is 6.3(3).


Upgrade to PIX 6.3(4) or later (which you should do for security
reasons anyhow -- the upgrade is free to registered owners).
6.3(4) gives you two VLANs on the 506/506E.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec vpn pix506 cant see internal network lokojones Hardware 1 06-29-2009 02:44 PM
Port 443 problem on PIX506 Exclusive Cisco 9 05-05-2006 10:23 PM
vpn tunnel probs with 1841 to pix506 Vincent Cisco 0 04-05-2005 07:56 PM
PIX506 DNS SMTP Jozsef Cisco 2 03-11-2005 06:37 PM
Port Routing on Pix506? meinereiner Cisco 3 11-04-2004 03:56 PM



Advertisments