melam last edited by
Thanks for taking the time to read and help!
I have a ssg20 that I am using to replace a pix520. The pix config had 3 interfaces in out and dmz. The inside is all hung off of a cisco cat4000 with many 10. vlans on it. All vlans point to 10.x.x.1 as their GW. The ssg is .2 on the inside which the cat routes all outbound to. Pretty normal eh?
With the ssg in place and the pix removed I can only get to the dmz from the inside 10. -> 172. The dmz can sometimes get out to the internet (yeah sometimes!) Outside -> DMZ seems to work fine. Inside -> outside doesn’t work at all. Even with policies in place to log it I cannot see any traffic going through it.
I tried unplugging the cat from the inside bgroup ports and just plugged my laptop into it and everything worked fine. all subnets/routing/policies/internet access etc!
What could be causing this on the cat switch? It is a pretty basic config 10 vlans 10.0.1.x - 10.0.0.x (10 in all) tags are given to each 10. vlan. There are a bunch of static routes between the vlans configured but the main one “ip route 0.0.0.0 0.0.0.0 10.0.6.2” that’s the ssg’s address and well shouldn’t that work?
one other interesting thing, when I had a laptop plugged into one of the insides bridge port group pinging the outside world happily, then I plug in the cat to another port in the inside bridge group and about 30 seconds later my laptop can’t use the internet anymore.
I have configs I can post though only on paper and will have to be transcribed to post!
mannygib last edited by
As far as your DMZ getting outside, if I am not mistaken the range you are using is 172.x.x.x, make sure you enable NAT either on the DMZ interface or the policy from DMZ -> Untrust.
The internal stuff please post ssg config exerpt and the cisco if possible.