PIX firewall (501 and 506) outside subnet not available to inside hosts

Discussion in 'Cisco' started by texastoast@gmail.com, Mar 6, 2006.

  1. Guest

    I have a couple of client networks set up on our internet connection.
    They are behind PIX firewalls (both ver 6.x). One is a 501 and the
    other is a 506. Both firewalls are configured basically the same, and
    both exhibit the following problem.

    The firewalls are configured for interface PAT. There is a server on
    each network that needs to be publicly accessible. So there is a
    "static" entry for the server.

    The problem: Neither server is able to connect to any host on the same
    subnet as the outside interface of the PIX, and no host on that network
    can connect through the firewall to the server. I need to be able to
    get to hosts on that outside network from the servers inside the
    firewall, as that is where their outgoing mail server, their DNS
    server, and other services are located. Any inside client that gets
    the interface PAT address can contact these hosts without fail, it is
    only the server that uses a different address than the outside
    interface that can't connect to those hosts.

    Here is what I hope is a legible diagram, indicating what hosts can be
    accessed from the server behind the firewall. The diagram is followed
    by the relevant lines from one of the configs.


    SERVER_Private (192.168.5.10 mapped to XX.XXX.118.114)
    |
    |
    PIX 501 (outside int: XX.XXX.118.153 via DHCP)
    |
    |_________ Client_Server (XX.XXX.118.6)
    |
    |
    GATEWAY ROUTER (inside: XX.XXX.118.1)

    So SERVER_Private can ping the inside interface of the PIX 501, and can
    telnet to the OUTSIDE interface of the GATEWAY ROUTER. SERVER_Private
    can NOT ping or telnet to Client_Server OR the inside interface of
    GATEWAY ROUTER. Client_Server cannot contact SERVER_Private even
    though all IP traffic has been allowed via access-list.

    Config lines:
    ip address outside dhcp
    ip address inside 192.168.5.1 255.255.255.0
    access-list 101 permit ip host XX.XXX.118.6 host XX .XXX.118.114
    access-group 101 in interface outside
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) XX.XXX.118.114 192.168.5.10 netmask
    255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

    I'm sure I'm missing something very basic, but please help me if you
    can.

    Thanks

    -Dan Horne
     
    , Mar 6, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ned
    Replies:
    3
    Views:
    1,001
    Walter Roberson
    Aug 16, 2005
  2. Dave
    Replies:
    4
    Views:
    5,287
  3. mvalpreda
    Replies:
    1
    Views:
    690
    allan16
    Sep 7, 2007
  4. Jack
    Replies:
    0
    Views:
    681
  5. Scott Townsend
    Replies:
    2
    Views:
    561
    Scott Townsend
    Mar 4, 2008
Loading...

Share This Page