Re: 2 PIXes with their interfaces sharing the same switch and on the same VLAN.

[Dave Ballowe <ballowe () cisco com>]

Rudy,

The obvious thing to do is to add a static route on the server back to
10.17.0.0 via 10.15.1.2.  Have you done that?

Also, to know what exactly is going on, you might want to capture packets on
the 10.15 network, either with a separate device or by using the capture
command on the PIX.  That will tell you what is really going on.

Dave


On 7/31/09 7:19 PM, "Rudy Setiawan" <rudal () online rudal com> wrote:

> Hi all,
>
> I have some problem that I need some solution/advice :)
>
> I have two PIX'es
> * PIX A WAN is connected to Provider A
> * PIX B WAN is connected to Provider B
> * PIX A inside interface has the IP address of 10.15.1.1
> * PIX B DMZ interface has the IP address of 10.15.1.2
> * PIX B inside interface has the IP address of 10.17.1.1
> * Subnet mask for all of the IP addresses 255.255.0.0 or /16
>
> I disabled nat by way of nat 0 access-list to both PIXes and the interfaces as
> well (except the WAN).
> I have a "ip permit any any" applied to all interfaces except the WAN,
>
> A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a server
> in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to ssh to
> the server.
> But if I changed the gateway of the server to 10.15.1.2, then the user is able
> to ssh to the server.
>
> What am I doing wrong here?
>
> Thank you so much in advance for the help.
>
> Regards,
> Rudy
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
Dave Ballowe
Mgr., STBU Engineering
Cisco
5330 Airport Blvd
MS BLDR01/3/4
Boulder, CO  80301
(720) 562-6399


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards