Hi everyone, was pointed towards this forum by an ex-colleague so here goes.
We have a setup as follows
Core Server Farm -- PIX -- Switched Wan -- ISA -- Internal Clients
-- ISA -- Internal Clients
--ISA -- Internal Clients
x 150
The external IP addresses of the ISA servers all follow the format 10.10.x.200 and the internal clients are all 10.110.x.0/24
Now from our core network, we can ping the 10.10.x.200 addresses, but not the 10.110.x.y addresses. There is a route relationship on the ISA allowing this traffic through from our core network.
On the PIX, we can see traffic going to the 10.10.x.200 addresses (in terms of hitcounts on the ACL) but we see nothing going to 10.110.x.y
the relevant parts of the cisco config are
object-group All-Internal
network-object 10.10.0.0 255.255.0.0
network-object 10.110.0.0 255.255.0.0
object-group Core-AV-Server
network-object host 172.31.32.119
access-list Core-Int extended permit ip object-group Core-AV-Server object-group All-Internal
which breaks down during a 'sh run; to
access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.10.0.0 255.255.0.0 (hitcnt=5)
access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.110.0.0 255.255.0.0 (hitcnt=0)
We also have routes set for
S 10.10.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN
S 10.110.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN
where 10.240.240.10 is the next hop to get to the remote WAN's.
The PIX interface on our Core network is 172.31.32.210 which is the default gateway on the AV server (and shows as the next hop doing a tracert).
I cannot for the life of me understand why I am not seeing the traffic for the internal networks hitting the PIX - any ideas?
Thanks in advance
Jim
