PIX firewall (501 and 506) outside subnet not available to inside hosts

Discussion in 'Cisco' started by texastoast, Mar 6, 2006.

  1. texastoast

    texastoast Guest

    I have a couple of client networks set up on our internet connection.
    They are behind PIX firewalls (both ver 6.x). One is a 501 and the
    other is a 506. Both firewalls are configured basically the same, and
    both exhibit the following problem.

    The firewalls are configured for interface PAT. There is a server on
    each network that needs to be publicly accessible. So there is a
    "static" entry for the server.

    The problem: Neither server is able to connect to any host on the same
    subnet as the outside interface of the PIX, and no host on that network
    can connect through the firewall to the server. I need to be able to
    get to hosts on that outside network from the servers inside the
    firewall, as that is where their outgoing mail server, their DNS
    server, and other services are located. Any inside client that gets
    the interface PAT address can contact these hosts without fail, it is
    only the server that uses a different address than the outside
    interface that can't connect to those hosts.

    Here is what I hope is a legible diagram, indicating what hosts can be
    accessed from the server behind the firewall. The diagram is followed
    by the relevant lines from one of the configs.

    SERVER_Private ( mapped to XX.XXX.118.114)
    PIX 501 (outside int: XX.XXX.118.153 via DHCP)
    |_________ Client_Server (XX.XXX.118.6)
    GATEWAY ROUTER (inside: XX.XXX.118.1)

    So SERVER_Private can ping the inside interface of the PIX 501, and can
    telnet to the OUTSIDE interface of the GATEWAY ROUTER. SERVER_Private
    can NOT ping or telnet to Client_Server OR the inside interface of
    GATEWAY ROUTER. Client_Server cannot contact SERVER_Private even
    though all IP traffic has been allowed via access-list.

    Config lines:
    ip address outside dhcp
    ip address inside
    access-list 101 permit ip host XX.XXX.118.6 host XX .XXX.118.114
    access-group 101 in interface outside
    global (outside) 1 interface
    nat (inside) 1 0 0
    static (inside,outside) XX.XXX.118.114 netmask 0 0
    route outside 1

    I'm sure I'm missing something very basic, but please help me if you


    -Dan Horne
    texastoast, Mar 6, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.