Firewall Wizards mailing list archives
Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN.
From: <lordchariot () embarqmail com>
Date: Sun, 2 Aug 2009 19:16:04 -0400
When you see pings get through, but TCP sessions do not, it's usually traced down to statefulness and/or asymmetric routing. I don't do PIX/ASA, but I've run into this before on other firewalls. Something is not going out the same door it came in.
-----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall- wizards-bounces () listserv icsalabs com] On Behalf Of Scott Stursa Sent: Saturday, August 01, 2009 2:08 PM To: rudy () rudal com; Firewall Wizards Security Mailing List Cc: firewall-wizards () listserv icsalabs com Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same switch andon the same VLAN. Rudy Setiawan said:Hi all, I have some problem that I need some solution/advice :) I have two PIX'es * PIX A WAN is connected to Provider A * PIX B WAN is connected to Provider B * PIX A inside interface has the IP address of 10.15.1.1 * PIX B DMZ interface has the IP address of 10.15.1.2 * PIX B inside interface has the IP address of 10.17.1.1 * Subnet mask for all of the IP addresses 255.255.0.0 or /16 I disabled nat by way of nat 0 access-list to both PIXes and the interfaces as well (except the WAN). I have a "ip permit any any" applied to all interfaces except the WAN, A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable tosshto the server. But if I changed the gateway of the server to 10.15.1.2, then the userisable to ssh to the server. What am I doing wrong here?Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then it's probably sending the server's packets out to the provider (how the ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2. -- It's not having what you want. It's wanting what you've got. - Sheryl Crow Scott L. Stursa CISSP, CCNP, MCSA _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Rudy Setiawan (Aug 01)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Josh Ward (Aug 02)
- Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. Scott Stursa (Aug 02)
- Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. lordchariot (Aug 06)
- Re: 2 PIXes with their interfaces sharing the same switch andon the same VLAN. Rudy Setiawan (Aug 06)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Dave Ballowe (Aug 06)
- Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN. Marjan Naumovski (Aug 06)