Re: [fw-wiz] 2 PIXes with their interfaces sharing the same switch andon the same VLAN.



When you see pings get through, but TCP sessions do not, it's usually traced
down to statefulness and/or asymmetric routing.
I don't do PIX/ASA, but I've run into this before on other firewalls.
Something is not going out the same door it came in.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-
wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Stursa
Sent: Saturday, August 01, 2009 2:08 PM
To: rudy@xxxxxxxxx; Firewall Wizards Security Mailing List
Cc: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch andon the same VLAN.


Rudy Setiawan said:
Hi all,

I have some problem that I need some solution/advice :)

I have two PIX'es
* PIX A WAN is connected to Provider A
* PIX B WAN is connected to Provider B
* PIX A inside interface has the IP address of 10.15.1.1
* PIX B DMZ interface has the IP address of 10.15.1.2
* PIX B inside interface has the IP address of 10.17.1.1
* Subnet mask for all of the IP addresses 255.255.0.0 or /16

I disabled nat by way of nat 0 access-list to both PIXes and the
interfaces
as well (except the WAN).
I have a "ip permit any any" applied to all interfaces except the WAN,

A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
server
in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to
ssh
to the server.
But if I changed the gateway of the server to 10.15.1.2, then the user
is
able to ssh to the server.

What am I doing wrong here?

Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then
it's probably sending the server's packets out to the provider (how the
ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a
route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2.

--
It's not having what you want.
It's wanting what you've got.
- Sheryl Crow

Scott L. Stursa
CISSP, CCNP, MCSA
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages