Pix and router configuration
- From: "danny.bui@xxxxxxxxx" <danny.bui@xxxxxxxxx>
- Date: 5 Apr 2006 16:04:38 -0700
Hi All,
Wonder if anyone can help me with the cisco pix configuration. Out
network is setup as follow:
Outside
|
|66.161.8.0/27
|
REMOTE PIX520---------DMZ 172.16.1.0/24
Colo |
|
|
Inside
|
|192.168.3.0/24
|
ROUTER A
|
192.168.6.0/24 | T1 P2P connect the cage @ Colo to HQ Office
|
ROUTER B
|
| 192.168.2.0/24
|
Corporate Network
Basically, we have a cage at a colo facility. A private T1 line
connects the HQ office to the cage. Internet access going out from the
cage. The Cisco PIX is set up at the cage with 3 interfaces enabled,
outside, inside, dmz.
PIX config:
Outside 66.161.8.1
Inside 192.168.3.1
DMZ 172.16.1.1
Static (inside, dmz) 192.168.3.0 192.168.3.0 255.255.255.0 (no
translation between dmz & inside)
Static (inside,dmz) 192.168.2.0 192.168.2.0 255.255.255.0 (no trans
between dmz and corp)
Router A:
Serial0 192.168.6.1
E0 192.168.3.2
Router B
Serial0 192.168.6.2
E0 192.168.2.1
Routing table on PIX
0.0.0.0 0.0.0.0 66.161.8.2 (to the ISP to the internet)
192.168.2.0 255.255.255.0 192.168.3.2 (Router A Ethernet Interface)
Routing table on Router A
0.0.0.0 0.0.0.0 192.168.3.1 (Pix inside interface)
192.168.2.0 255.255.255.0 192.168.6.2 (Router B Serial Interface)
Routing table on Router B
0.0.0.0 0.0.0.0 192.168.6.1 (Router A serial interface)
All the routing and NAT and STATIC and GLOBAL are configured. Traffic
from the inside can get out to the internet. Traffic from HQ office
can get out to the internet.
The hosts from the HQ office can talk to the hosts on the DMZ segmemt,
since there is a STATIC (inside,dmz) 192.168.2.0 192.168.2.0
255.255.255.0. For instance, DMZ_A (172.16.1.10) can ping
HQ_A(192.168.2.10). And vice versa. There is also the access-list for
dmz
Host from DMZ can talk to the host from inside of the pix as well.
*****************************************************************************************************
The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
for the inside interface.
If I added at static route on the hosts on the Inside segment, then
they can communicate. For instance, on INSIDE_A host, if I added " Add
route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
talk to host HQ_A.
In short, if the host on the 192.168.3.0/24 segment want to talk to the
host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
default gateway for all the hosts on that segment, and go directly to
the ROUTER A. Otherwise, if let the PIX decide, it will drop the
packets since there is no NAT or STATIC for 192.168.2.0 addresses.
I have talked to someone, and he mentioned about IP redirect on the
pix. Does anyone have any ID how to make this configuration work
without adding a static route on every hosts on the inside segment?
Please help!
I apologize for the long description of the problem. Please help.
Thanks a million!
Danny
.
- Follow-Ups:
- Re: Pix and router configuration
- From: Martin Bilgrav
- Re: Pix and router configuration
- Prev by Date: Re: Bring Vlan up without host
- Next by Date: Re: top uptime list ?
- Previous by thread: Bring Vlan up without host
- Next by thread: Re: Pix and router configuration
- Index(es):
Relevant Pages
|
