[afnog] PIX Configuration Issue

Brian Candler B.Candler at pobox.com
Wed Jun 15 16:46:26 EAT 2005


On Wed, Jun 15, 2005 at 09:52:18AM +0300, Julius Kidubuka wrote:
> I have a rather buffling scenario on my hands. I am trying to setup a PIX
> firewall btn my LAN and external (via a FreeBSD gateway).
> 
> 
> Below is my ASCII network diagram:
> 
> 
> 81.x.x.x/27        192.168.x.x/24               172.16.x.x/24
> 
>           +--------+             +------+         +--------+
>           | Free   |             |Cisco |         |  LAN   | LAN PCs
>  ---------| BSD    |-------------|PIX   |---------| Switch |--------
>           | G/W    |             |      |         |        |
>           +---+----+             +------+         +--------+
...
> I also had both networks (.ie. 172.16.x.x and 192.168.x.x) taken care of
> in the ipnat.rules on the FreeBSD gateway. With this setup, the PIX could
> reach the FreeBSD g/w, the LAN PCs could get to the PIX but I couldn't get
> any communication between the LAN PCs and the FreeBSD g/w.

Did you remember to add a static route on the FreeBSD box for the 172.16
network via the PIX?

    # route add -net 172.16.x.x/24 192.168.z.z

where 192.168.z.z is the PIX outside IP

Otherwise, whenever the FreeBSD box tries to send a packet to 172.16.x.x, it
will follow its default route to the outside world.

If you did remember that - then please give more accurate configurations of
the boxes, including "netstat -i", "netstat -rn" on the Linux box,
equivalents on the PIX, and preferably with IP addresses not obscured.

Regards,

Brian.



More information about the afnog mailing list