Netbrain
Home NetBrain Product One-Skill-at-a-Time Search Mark Forums Read
Go BackThe Net-BrainerOne-Skill-at-a-Time Cisco Pix Static Routes And Internet Filtering Box

Reply
 
Thread Tools Search this Thread Display Modes
Old 01-05-2010, 05:14 AM
Chris Chris is offline
 
Join Date: Jun 2009
Posts: 74
Default Cisco Pix Static Routes And Internet Filtering Box

I am in the process of setting up a Iprism Web Filtering box. This box sits between our 7204 router and OLD pix classic. Here's the issue. I set up the filter box with an address in the network between the router and pix. I can ping all interfaces within that network. I cannot ping outside the network. I have changed the default gateway and static route of the router to point to the internal port on the filter box.

Something like this.

ip route 0.0.0.0 0.0.0.0 172.20.21.4 (all traffic unknown sent to filtering box)
ip route 172.20.21.4 255.255.255.255 FastEthernet0/0 (sets route from outside router int direct to the internal filterbox.

This is the current setup before installing the filter box.

ip route 0.0.0.0 0.0.0.0 172.20.21.2
ip route 172.20.21.2 255.255.255.255 FastEthernet0/0

That should enable me to ping the 21.4 interface? Doesn't work. I have not written it to memory and reset the box. This is in production and I have to work around everyone.

Going to try the filter box again and try a different setup.

Now on to the pix.

One inside route to the external port on the router.

ip route 0.0.0.0 0.0.0.0 172.20.21.1 1 (that takes all traffic from outside to inside network. I just changed this line to
ip route 0.0.0.0 0.0.0.0 172.20.21.4 1 (takes all traffic from outside to external address of the filter box.

The filter box uses 1 ip address for both internal and external. That is why I will go over the setup again. Also this box has ping utilities built in and I cannot ping any internal or external addresses.

Thanks for your time reading this long post.
Reply With Quote
Old 01-07-2010, 03:42 AM
m.stone m.stone is offline
 
Join Date: Dec 2009
Posts: 29
Default Re: Cisco Pix Static Routes And Internet Filtering Box

I'm not sure I completely understand the setup here.

So, the PIX is connected to the filter box. The filter box is connected to the router.

On the PIX there is a default route pointing to the filter box?
The filter box has a default router (presumably) pointing to the router?
So the router routes the outbound traffic.

Incoming traffic comes in to the router and the router sends this incoming traffic to the filter box?
The filter box - where does this send the incoming traffic and how? Is the filter box also a router?
Imagine the filter box works and sends the traffic back to the PIX - what does the PIX do with this traffic? The PIX is a firewall, not a router and won't know how to route the traffic.

Have you set debugging on the outside interface for ICMP on the PIX (and enable ICMP of course) to see if the reply packets even get to the outside interface? Well, first you can do this to the router to see if they get back to the router - then the filter box - and then the PIX - this will in indicate where the problem lies.
Reply With Quote
Old 01-08-2010, 03:16 AM
David.C David.C is offline
 
Join Date: May 2009
Posts: 118
Default Re: Cisco Pix Static Routes And Internet Filtering Box

You now need to configure routing on your WF box, so that the box knows which traffic is for outside, and which is for inside.
On PIX you must put this for outside traffic
ip route 0.0.0.0 0.0.0.0 172.20.21.4
For your internal traffic, PIX will know how to route it because it has directly connected interfaces to your internal networks.

On the router, it's strange that you have configured default route towards your WF. Because you know have a loop there.

You specified this in your topic -
ip route 0.0.0.0 0.0.0.0 172.20.21.4 (all traffic unknown sent to filtering box)
ip route 172.20.21.4 255.255.255.255 FastEthernet0/0 (sets route from outside router int direct to the internal filterbox.

So, where is your FE0/0 connected? If it to some outside router, ping won't work because it will be sent towards FE0/0 interface. If FA0/0 is connected directly to WF, then your second statement is not neccesary.

Please enter clearly all IP addresses on all interfaces on Router, PIX and WF.
Also, specify where is your Internet connected, and how is your equipment connected - through what interfaces.
Reply With Quote
Old 01-11-2010, 04:13 AM
m.stone m.stone is offline
 
Join Date: Dec 2009
Posts: 29
Default Re: Cisco Pix Static Routes And Internet Filtering Box

Great, it works, thanks, guys!
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -4. The time now is 08:31 PM.
Powered by vBulletin
Copyright 2000-2010 Jelsoft Enterprises Limited.
Copyright 2009 NetBrain, Inc. All rights reserved.