Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX static route not working, im desperate!

Reply
Thread Tools

PIX static route not working, im desperate!

 
 
Davide Corrado
Guest
Posts: n/a
 
      01-28-2008
hello, im a UNIX system admin and sometimes i have to put my hands on
cisco stuff. Usually i can do it reading docs online, but this time im
really desperate. I hope someone here can help me to solve my problem...

Im unsing a pix 515E with firmware 8.0.2


SERVER FARM
X.X.X.X
|
|
ADSL
|
|
192.168.69.30
OFFICE LAN (addresses 192.168.69.0/24)
|
|
|
PIX 515E (internal address 192.168.69.253, extern Y.Y.Y.Y)
|
|
INTERNET

So we have an ADSL link that connects our office LAN to a server farm,
(our LAN has addresses of this kind: 192.168.69.X), we are connected to
Internet using a second ADSL link.
What we need is to reach the servers in the server farm using the pix
vpn. I put a static route in the pix configuration but its not working
when i connect to the pix using the vpn. And when im am in the LAN, i
have to manually insert in my pc the static route that sends all traffic
to X.X.X.X via 192.168.69.30.
I dont understand what is wrong, could you please help me?

PIX Version 8.0(2)
!
hostname PIXNSC
domain-name xxxxxxxxx
enable password RKODEhJ1uwKzCJ1e encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address Y.Y.Y.Y 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.69.253 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd ************** encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name nscsrl.it
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq www
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq pop3
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5222
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5223
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq
https
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq smtp
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 995
access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 465
access-list outside_access_in extended permit tcp host 85.18.117.122
host Y.Y.Y.139 eq ssh
access-list outside_access_in extended permit tcp host 85.18.117.122
host Y.Y.Y.139 eq 3306
access-list outside_access_in extended permit tcp host 85.18.117.122
host Y.Y.Y.139 eq 7129
access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq www
access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 8554
access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6968
access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6969
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.145
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.146
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.147
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.148
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.149
access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
192.168.69.150
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool1 192.168.69.145-192.168.69.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Y.Y.Y.140 192.168.69.41 netmask 255.255.255.255
static (inside,outside) Y.Y.Y.142 192.168.69.220 netmask 255.255.255.255
static (inside,outside) Y.Y.Y.139 192.168.69.42 netmask 255.255.255.255
static (inside,outside) Y.Y.Y.141 192.168.69.47 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.137 1 << QUESTA E' LA ROTTA VERSO IL
MODEM ADSL PER NAVIGARE
route inside X.X.X.X 255.255.255.0 192.168.69.30 1 <<QUESTA E' LA ROTTA
STATICA VERSO LA FARM
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set nsc esp-3des esp-md5-hmac
crypto dynamic-map map2 10 set transform-set nsc
crypto dynamic-map map2 10 set reverse-route
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.69.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
username Administrator password ************** encrypted
username corrado password ************ encrypted
tunnel-group nscvpn type remote-access
tunnel-group nscvpn general-attributes
address-pool vpnpool1
tunnel-group nscvpn ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:755f1e6a91c1b8423e16b7560519436f
: end
PIXNSC#
 
Reply With Quote
 
 
 
 
Chris
Guest
Posts: n/a
 
      01-28-2008
On Mon, 28 Jan 2008 16:39:18 +0100, Davide Corrado wrote:

> hello, im a UNIX system admin and sometimes i have to put my hands on
> cisco stuff. Usually i can do it reading docs online, but this time im
> really desperate. I hope someone here can help me to solve my problem...
>
> Im unsing a pix 515E with firmware 8.0.2
>
>
> SERVER FARM
> X.X.X.X
> |
> |
> ADSL
> |
> |
> 192.168.69.30
> OFFICE LAN (addresses 192.168.69.0/24)
> |
> |
> |
> PIX 515E (internal address 192.168.69.253, extern Y.Y.Y.Y)
> |
> |
> INTERNET
>
> So we have an ADSL link that connects our office LAN to a server farm,
> (our LAN has addresses of this kind: 192.168.69.X), we are connected to
> Internet using a second ADSL link.
> What we need is to reach the servers in the server farm using the pix
> vpn. I put a static route in the pix configuration but its not working
> when i connect to the pix using the vpn. And when im am in the LAN, i
> have to manually insert in my pc the static route that sends all traffic
> to X.X.X.X via 192.168.69.30.
> I dont understand what is wrong, could you please help me?
>


> interface Ethernet1
> nameif inside
> security-level 100
> ip address 192.168.69.253 255.255.255.0
> !


> route inside X.X.X.X 255.255.255.0 192.168.69.30 1 <<QUESTA E' LA ROTTA


So it looks like what you are trying to do is from the internal LAN on
192.168.69.x you are trying to use this pix as a gateway and have internet
traffic hitting this pix on 192.168.69.253 route back inside the network to
the ADSL gateway on 192.168.69.30. This has been covered many times and
won't work because the pix is not a router. Traffic that enters the pix on
one interface must leave it via another interface. You can't 'route on a
stick', ie. have traffic come into the inside interface and then be routed
back out of that same interface.

http://www.cisco.com/en/US/products/...80094874.shtml

Chris.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-28-2008
In article <1062ywl8zsbnc.1ahqfclu4bbg1$(E-Mail Removed)>,
Chris <(E-Mail Removed)> wrote:
>On Mon, 28 Jan 2008 16:39:18 +0100, Davide Corrado wrote:


>> Im unsing a pix 515E with firmware 8.0.2


>So it looks like what you are trying to do is from the internal LAN on
>192.168.69.x you are trying to use this pix as a gateway and have internet
>traffic hitting this pix on 192.168.69.253 route back inside the network to
>the ADSL gateway on 192.168.69.30. This has been covered many times and
>won't work because the pix is not a router. Traffic that enters the pix on
>one interface must leave it via another interface. You can't 'route on a
>stick', ie. have traffic come into the inside interface and then be routed
>back out of that same interface.


Notice that the original poster said PIX 8.0.2.

Since 7.2,
same-security-traffic permit-intra-interface
"permits traffic to enter and leave the same interface, and
not just IPSec traffic".

 
Reply With Quote
 
Davide Corrado
Guest
Posts: n/a
 
      01-29-2008
I knew that starting from 7.0 this kind of traffic was supported (i
didnt know how to activate it anyway ).

well, i inserted
same-security-traffic permit intra-interface
in the configuration. right now im connected to the office lan and i
deleted the static route that conduits to the server farm from my pc to
see if now the pix static rule is working in the lan... and its not
working... what else can i do?

> Since 7.2,
> same-security-traffic permit-intra-interface


> "permits traffic to enter and leave the same interface, and
> not just IPSec traffic".
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
question for static route -- default route bensonlei@yahoo.com.hk Cisco 1 04-01-2009 11:27 AM
question for static route -- default route bensonlei@yahoo.com.hk Cisco 0 04-01-2009 04:04 AM
What is the default precedence: local-route, static-route,OSPF-route? ilan.berco@gmail.com Cisco 9 08-07-2008 05:42 PM
Need to route SMTP traffic through static interface (not default route) perimere Cisco 0 03-27-2007 09:19 PM
Can netwrok run static route and dynamic route the same time? Bruce Cao Cisco 3 12-06-2005 02:15 AM



Advertisments