Need help allowing traffic from dmz to intf2 and inside PIX 515

[joeschmoes]

I have an inside router with the following networks:
192.168.1.0/24
205.128.1.0/25
10.1.0.0/16

My PIX 515 has the same :
inside 192.168.1.111
intf2 205.128.1.85
dmz 10.1.1.100

We also have Microsoft ISA server that we use for web filtering and such. Some applications are next to impossible to get through the ISA server, therefore, on a couple of machines, I point their gateway to the PIX.

On a particular machine it is setup like this:
IP 205.128.1.24/25
GW is 205.128.1.85

It is able to get out on the internet and bypass the ISA server but is not able to ping anything on the 10 network.

The machine that it needs to talk to is:
IP 10.1.1.38/16
GW 10.1.1.1

I can ping anything except the 205.128.1.24 machine or any of the PIX interfaces other than the 10.1.1.100.

On my router, I added the following commands:
ip route 205.128.1.0 255.255.255.128 205.128.1.85
ip route 10.1.0.0 255.255.0.0 10.1.1.100

I still get no communication between the two devices.

On the PIX, I added the following commands:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,intf2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
(this was under the direction of Cisco support, they say I have a routing problem)

Any help would be appreciated.

 

[desperado618]

What are the security levels for intf2 and dmz?
I do not see a static for those 2 interfaces to communicate so I would assume that intf2 has a higher security level. If not a static will be needed. I am also assuming that proper acls are in place. If this is the case, I would consider setting up captures to find out if it is indeed a routing issue and not a config issue.

I have a Packet Capture example on my site:

http://netleets.com/phpbb3/viewtopic.php?f=3&t=3

http://www.NetLeets.com

IT Security news and information
In plain English