[afnog] PIX Configuration Issue

[Julius Kidubuka]

Hi all,

I have a rather buffling scenario on my hands. I am trying to setup a PIX
firewall btn my LAN and external (via a FreeBSD gateway).


Below is my ASCII network diagram:


81.x.x.x/27        192.168.x.x/24               172.16.x.x/24

          +--------+             +------+         +--------+
          | Free   |             |Cisco |         |  LAN   | LAN PCs
 ---------| BSD    |-------------|PIX   |---------| Switch |--------
          | G/W    |             |      |         |        |
          +---+----+             +------+         +--------+


Initially I setup the PIX with NAT and I had my part of my conf as:

ip address outside 192.168.x.x/24
ip address inside 172.16.x.x/24

nat (inside) 1 0 0
global (outside) 1 192.168.x.x-192.168.x.x
global (outside) 1 192.168.x.x

no rip inside default
no rip inside passive
no rip outside default
no rip outside passive

route outside 0.0.0.0 0.0.0.0 192.168.x.x 1 S


I also had both networks (.ie. 172.16.x.x and 192.168.x.x) taken care of
in the ipnat.rules on the FreeBSD gateway. With this setup, the PIX could
reach the FreeBSD g/w, the LAN PCs could get to the PIX but I couldn't get
any communication between the LAN PCs and the FreeBSD g/w.

I thought this was a case of 'double NATting' since I had NAT rules on
both the FreeBSD g/w and PIX.

I then re-did the PIX configuration without any NATting at all but that
didn't help either .ie. I still couldn't get to the FreeBSD g/w from the
LAN PCs.

How can I go about ensuring that the LAN PCs are able to communicate (and
be able to browse the internet and et al) with the FreeBSD g/w via the
PIX?


Thanks in advance.


Regards,
Julius.