Pix 505 filtering issue

Discussion in 'Cisco' started by Tim Wies, Jul 16, 2003.

  1. Tim Wies

    Tim Wies Guest

    Should the router be filtering or applying rules on the internal interface
    if the requested data is on on internal server?

    i.e. I think the router is filtering on my internal P.SQL server from
    internal workstation.

    The workstations all use DHCP with one subnet (192.168.0.x) and a gateway
    set to the router.

    Should this be happening, and if so, why... If not, how do I keep the
    router from filtering all this internal traffice that is not bound for the
    external interface?

    Thanks,
    Tim
     
    Tim Wies, Jul 16, 2003
    #1
    1. Advertisements

  2. :Should the router be filtering or applying rules on the internal interface
    :if the requested data is on on internal server?

    Your question confuses me. Your subject mentions PIX, but your body
    talks in terms of "router", not "firewall". To compound the matter,
    the "PIX 505" you mention in your subject does not exist: the 500
    series has only the 501, 506, 506E, 510, 515, 515E, 520, 525, and 535.
     
    Walter Roberson, Jul 16, 2003
    #2
    1. Advertisements

  3. |In article <[email protected]>,
    |:Should the router be filtering or applying rules on the internal interface
    |:if the requested data is on on internal server?

    |Your question confuses me. Your subject mentions PIX, but your body
    |talks in terms of "router", not "firewall".

    If I go through your question again and mentally substitute
    "firewall" every place you wrote "router", then I think I may know
    the problem.

    If I understand correctly, you have some systems inside your PIX firewall,
    and those systems are set to have the PIX as their gateway. You
    also, I gather, have a server on a different subnet that is also
    inside your PIX. The symptom you are seeing is that traffic between
    the systems and the server on the other internal subnet is not flowing
    the way you expect?

    If this is an accurate description of the problem, then the source
    of the difficulty is that the PIX will NEVER send packets back out
    the same [logical] interface that it received the packets on. You
    cannot use the PIX as a router to route packets from the PCs to
    the inside interface of the PIX back to the the inside and then to the
    server on the other subnet.

    If, though, the server is on the -same- subnet as the PCs, then the
    PCs are going to be sending the data directly to the server, and
    the PIX would not be involved at all: the PCs are only going to
    try to use the PIX as a routing gateway when they are trying to
    communicate with a different subnet. So if the internal devices are
    all on the same subnet, then you have some other problem not related
    to the PIX.
     
    Walter Roberson, Jul 17, 2003
    #3
  4. Tim Wies

    Tim Wies Guest

    Walter,

    I originally tried to email this, but IBD rejected it because our mail
    server's IP doesn't resolve to our matching MX record but to the ISP's FQDN
    for the IP... I am looking into this to see how to rectify that situation,
    but I am not sure I will be able to since we only have a full class...
    Anyway, the text of the email follows...

    Tim
    =======================================================

    Walter,

    I understand your confusion, the client was unclear and I am not a Cisco
    person, so I misunderstood him. He has a 515.

    I read your second reply and completely concur which is why I was confused
    that as soon as we took the PIX off the network and put a D- Link in it's
    place, everything started working great.

    I was completely embarrased that this solved the issue because I had been
    working with them on a number of issues trying to communicate using
    Pervasive P.SQL database server. I would not have thought the firewall
    would be the culprit on a single subnet network.

    Anyway, I am going to have him update the firmware(if it needs it) and then
    reset the entire PIX and set it up from scratch. If it starts to cause
    problems, we'll know it was the last thing set up...

    Thanks for your reply and confirmation of what I thought. I felt I was
    going nuts.

    Tim


     
    Tim Wies, Jul 17, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.