PIX506 and second internal network

Discussion in 'Cisco' started by Agile.Aspect@gmail.com, Jun 21, 2007.

  1. Guest

    Hi - we'd like to add an internal subnet to our exiting LAN using
    a dump home router.

    And I'm new to the PIX506.

    The default route for the LAN is the PIX506 (192.x.1.1.)

    In short, I'd like to change this

    Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)

    to this

    Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb

    router

    |

    |

    (192.168.2.0/24)

    I was able to add a route with the route command

    route inside 192.168.2.0 255.255.255.0 192.168.1.254 2

    I can

    (1) ping the PIX506 firewall from a machine on the new subnet
    (192.168.2.10)
    (2) ping the dumb router from the PIX506
    (3) ping a host on the new subnet (192.168.2.10) from the PIX506

    but I can't ping any other host on the 192.168.1.x subnet from the
    192.168.2.x subnet
    (nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
    subnet other than
    from the PIX506.)

    When I try to ping a host on the 192.168.1.x subnet from the
    192.168.2.x subnet, the
    PIX506 logs the following error message

    Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
    Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
    inside:192.168.2.10 (type 0, code 0)

    The OS version on the PIX506 is 6.3(3).

    And needless to say, routing isn't working correctly.

    -- Ken
     
    , Jun 21, 2007
    #1
    1. Advertising

  2. Chris Guest

    On Thu, 21 Jun 2007 20:26:50 -0000, wrote:

    > Hi - we'd like to add an internal subnet to our exiting LAN using
    > a dump home router.
    >
    > And I'm new to the PIX506.
    >
    > The default route for the LAN is the PIX506 (192.x.1.1.)
    >
    > In short, I'd like to change this
    >
    > Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)
    >
    > to this
    >
    > Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb
    >
    > router
    >
    >|
    >
    >|
    >
    > (192.168.2.0/24)
    >
    > I was able to add a route with the route command
    >
    > route inside 192.168.2.0 255.255.255.0 192.168.1.254 2
    >
    > I can
    >
    > (1) ping the PIX506 firewall from a machine on the new subnet
    > (192.168.2.10)
    > (2) ping the dumb router from the PIX506
    > (3) ping a host on the new subnet (192.168.2.10) from the PIX506
    >
    > but I can't ping any other host on the 192.168.1.x subnet from the
    > 192.168.2.x subnet
    > (nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
    > subnet other than
    > from the PIX506.)
    >
    > When I try to ping a host on the 192.168.1.x subnet from the
    > 192.168.2.x subnet, the
    > PIX506 logs the following error message
    >
    > Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
    > Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
    > inside:192.168.2.10 (type 0, code 0)
    >
    > The OS version on the PIX506 is 6.3(3).
    >
    > And needless to say, routing isn't working correctly.
    >
    > -- Ken


    You can't do this with a pix. The pix isn't a router so you can't route
    traffic from one network on the lan interface and have the pix route that
    traffic back out the same lan interface to another router, ie. route on a
    stick.

    In this situation the best thing would be to install a persistent route on
    the clients to route to the second network via the router and not use the
    pix as a gateway.

    Chris.
     
    Chris, Jun 21, 2007
    #2
    1. Advertising

  3. dman1973 Guest

    On Jun 21, 5:59 pm, Chris <> wrote:
    > On Thu, 21 Jun 2007 20:26:50 -0000, wrote:
    > > Hi - we'd like to add an internal subnet to our exiting LAN using
    > > a dump home router.

    >
    > > And I'm new to the PIX506.

    >
    > > The default route for the LAN is the PIX506 (192.x.1.1.)

    >
    > > In short, I'd like to change this

    >
    > > Internet --- Cisco1721 ==== PIX506 ---- LAN (192.168.1.0/24)

    >
    > > to this

    >
    > > Internet --- Cisco1721 ==== PIX506 ---- LAN -- dumb

    >
    > > router

    >
    > >|

    >
    > >|

    >
    > > (192.168.2.0/24)

    >
    > > I was able to add a route with the route command

    >
    > > route inside 192.168.2.0 255.255.255.0 192.168.1.254 2

    >
    > > I can

    >
    > > (1) ping the PIX506 firewall from a machine on the new subnet
    > > (192.168.2.10)
    > > (2) ping the dumb router from the PIX506
    > > (3) ping a host on the new subnet (192.168.2.10) from the PIX506

    >
    > > but I can't ping any other host on the 192.168.1.x subnet from the
    > > 192.168.2.x subnet
    > > (nor can I ping a host on the 192.168.2.x subnet from 192.168.1.x
    > > subnet other than
    > > from the PIX506.)

    >
    > > When I try to ping a host on the 192.168.1.x subnet from the
    > > 192.168.2.x subnet, the
    > > PIX506 logs the following error message

    >
    > > Jun 21 12:52:55 firewall Jun 21 2007 13:09:31: %PIX-3-106011:
    > > Deny inbound (No xlate) icmp src inside:192.168.1.101 dst
    > > inside:192.168.2.10 (type 0, code 0)

    >
    > > The OS version on the PIX506 is 6.3(3).

    >
    > > And needless to say, routing isn't working correctly.

    >
    > > -- Ken

    >
    > You can't do this with a pix. The pix isn't a router so you can't route
    > traffic from one network on the lan interface and have the pix route that
    > traffic back out the same lan interface to another router, ie. route on a
    > stick.
    >
    > In this situation the best thing would be to install a persistent route on
    > the clients to route to the second network via the router and not use the
    > pix as a gateway.
    >
    > Chris.


    Maybe I don't understand your topology. You can probably get away
    with static routes on your 2nd router and everywhere else. Also, the
    higher end PIXs can run OSPF and RIP, but that's probably not
    advisable. Again, I'm not sure if I understand your topology
    correctly, and I don't know how many interfaces is on your PIX 506.

    -Dan
    http://ccie-lounge.blogspot.com
     
    dman1973, Jun 22, 2007
    #3
  4. In article <>,
    <> wrote:
    >Hi - we'd like to add an internal subnet to our exiting LAN using
    >a dump home router.


    >The OS version on the PIX506 is 6.3(3).


    Upgrade to PIX 6.3(4) or later (which you should do for security
    reasons anyhow -- the upgrade is free to registered owners).
    6.3(4) gives you two VLANs on the 506/506E.
     
    Walter Roberson, Jun 22, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. meinereiner

    Port Routing on Pix506?

    meinereiner, Nov 3, 2004, in forum: Cisco
    Replies:
    3
    Views:
    452
    Walter Roberson
    Nov 4, 2004
  2. Jozsef

    PIX506 DNS SMTP

    Jozsef, Mar 10, 2005, in forum: Cisco
    Replies:
    2
    Views:
    553
    Jozsef
    Mar 11, 2005
  3. Vincent
    Replies:
    0
    Views:
    2,148
    Vincent
    Apr 5, 2005
  4. Exclusive

    Port 443 problem on PIX506

    Exclusive, May 2, 2006, in forum: Cisco
    Replies:
    9
    Views:
    1,199
    Walter Roberson
    May 5, 2006
  5. lokojones
    Replies:
    1
    Views:
    2,130
    adeelasher
    Jun 29, 2009
Loading...

Share This Page