Re: Pix and router configuration


<danny.bui@xxxxxxxxx> skrev i en meddelelse
news:1144278278.694403.289060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
****************************************************************************
*************************
The problem I have is the host from the inside, INSIDE_A(192.168.3.10)
CAN NOT talk to the host HQ_A(192.168.2.10) and vice versa. I guess
there is no NAT or STATIC to tie to 192.168.2.0 addresses on the PIX
for the inside interface.

If I added at static route on the hosts on the Inside segment, then
they can communicate. For instance, on INSIDE_A host, if I added " Add
route 192.168.2.0 mask 255.255.255.0 192.168.3.2", host INSIDE_A can
talk to host HQ_A.

In short, if the host on the 192.168.3.0/24 segment want to talk to the
host 192.168.2.0/24 segment, it has to by-pass the PIX, which is the
default gateway for all the hosts on that segment, and go directly to
the ROUTER A. Otherwise, if let the PIX decide, it will drop the
packets since there is no NAT or STATIC for 192.168.2.0 addresses.

I have talked to someone, and he mentioned about IP redirect on the
pix. Does anyone have any ID how to make this configuration work
without adding a static route on every hosts on the inside segment?
Please help!

Great description you give !
Your problem is that your INSIDE hosts have the PIX inside interface as
gateway.
So when the inside hosts wants to talk to HQ, it ask's the PIX for
directions.
BUT the PIX is not a router, and the PIX will not give ICMP redirects !
If you debug ICMP on the PIX you will see this.

Resolution is to have your inside hosts use the router as default gateway.
This way the router will sent ICMP redirects whenever the hosts needs to
goto the Internet instead.
Depending on your number of inside hosts and router hardware and if its
Cisco, the IOS version this caould cause problems, that you need to fix
first, but again it might also not be a problem.

If you run DHCP on you clients it is pretty simplt to change gateway option
on the Scope.
Also if your clients uses personal firewall software, this needs to allow
the ICMP redirect, obvioulsy.

HTH
Martin Bilgrav


.

Relevant Pages

  • Re: Expanding Subnet
    ... You just add a LAN Router into the system and create the new ... segment off of the router's other interface. ... You would then move Hosts to the new segment ... need to stay below 250-300 hosts for ethernet to remain efficient. ...
    (microsoft.public.windows.server.networking)
  • Re: Expanding Subnet
    ... We currently have one dual channel router that combines 2 T1'S INTO ONE BIG ... segment off of the router's other interface. ... to move any old Hosts to the new segment. ... need to stay below 250-300 hosts for ethernet to remain efficient. ...
    (microsoft.public.windows.server.networking)
  • Re: Routing problem
    ... :So do i need to upgrade my PIX firewall? ... could not ping hosts that are on the dmz interface from some inside hosts. ...
    (comp.dcom.sys.cisco)
  • Re: Pix and router configuration
    ... only 2 hosts - the PIX and the Router). ... That will take care of routing from the PIX to the ... Then you make the router the DG for the inside hosts and now ... If your router only has one Ethernet interface, then to accomplish this ...
    (comp.dcom.sys.cisco)
  • Re: Pix and router configuration
    ... I know it works fine if I have the hosts using the router as the ... default gateway. ... go when VPN is connected to the PIX. ...
    (comp.dcom.sys.cisco)