Firewall Wizards mailing list archives

Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN.

From: Josh Ward <jward () network-services uoregon edu>
Date: Sat, 01 Aug 2009 11:27:23 -0700

Rudy,

Depending on what version of PIX software you are running, you may be
able to use the packet tracer to see what is going on.  I believe they
added it in 7.2.

Try this command (changing your ingress interface name):
packet-tracer input insideXX tcp 10.17.1.2 5555 10.15.1.10 ssh det

The output should show you exactly how the pix is making a forward or
drop decision.  You can twiddle the second IP and see what is different
between the two different destinations.

-Josh
--
Josh Ward <jward () uoregon edu>
Network Security Engineer - University of Oregon - Network Services
PGP Fingerprint: CFB6 62C0 370B AD6D BA33 6034 8FFB 4A49 297F 6A4C


Rudy Setiawan wrote:

Hi all,

I have some problem that I need some solution/advice :)

I have two PIX'es
* PIX A WAN is connected to Provider A
* PIX B WAN is connected to Provider B
* PIX A inside interface has the IP address of 10.15.1.1
* PIX B DMZ interface has the IP address of 10.15.1.2
* PIX B inside interface has the IP address of 10.17.1.1
* Subnet mask for all of the IP addresses 255.255.0.0 or /16

I disabled nat by way of nat 0 access-list to both PIXes and the
interfaces as well (except the WAN).
I have a "ip permit any any" applied to all interfaces except the WAN,

A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is
unable to ssh to the server.
But if I changed the gateway of the server to 10.15.1.2, then the user
is able to ssh to the server.

What am I doing wrong here?

Thank you so much in advance for the help.

Regards,
Rudy


------------------------------------------------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

2 PIXes with their interfaces sharing the same switch and on the same VLAN. Rudy Setiawan (Aug 01)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Josh Ward (Aug 02)
- Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. Scott Stursa (Aug 02)
  - Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. lordchariot (Aug 06)
  - Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. Rudy Setiawan (Aug 06)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Dave Ballowe (Aug 06)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Marjan Naumovski (Aug 06)