[afnog] PIX Configuration Issue

Thu Jun 16 19:01:54 EAT 2005

Hi all,

Sorry for the delay in response. I am still trying out some options that I
have been given (including Brian's) after which I'll post a detailed
repsonse.

PS: The FreeBSD box was replaced by a Cisco 1700 Series router.

Rgds,
Juki.

> On Wed, Jun 15, 2005 at 09:52:18AM +0300, Julius Kidubuka wrote:
>> I have a rather buffling scenario on my hands. I am trying to setup a
>> PIX
>> firewall btn my LAN and external (via a FreeBSD gateway).
>>
>>
>> Below is my ASCII network diagram:
>>
>>
>> 81.x.x.x/27        192.168.x.x/24               172.16.x.x/24
>>
>>           +--------+             +------+         +--------+
>>           | Free   |             |Cisco |         |  LAN   | LAN PCs
>>  ---------| BSD    |-------------|PIX   |---------| Switch |--------
>>           | G/W    |             |      |         |        |
>>           +---+----+             +------+         +--------+
> ...
>> I also had both networks (.ie. 172.16.x.x and 192.168.x.x) taken care of
>> in the ipnat.rules on the FreeBSD gateway. With this setup, the PIX
>> could
>> reach the FreeBSD g/w, the LAN PCs could get to the PIX but I couldn't
>> get
>> any communication between the LAN PCs and the FreeBSD g/w.
>
> Did you remember to add a static route on the FreeBSD box for the 172.16
> network via the PIX?
>
>     # route add -net 172.16.x.x/24 192.168.z.z
>
> where 192.168.z.z is the PIX outside IP
>
> Otherwise, whenever the FreeBSD box tries to send a packet to 172.16.x.x,
> it
> will follow its default route to the outside world.
>
> If you did remember that - then please give more accurate configurations
> of
> the boxes, including "netstat -i", "netstat -rn" on the Linux box,
> equivalents on the PIX, and preferably with IP addresses not obscured.