2 subnets can't route over 4700 to pix 501

Discussion in 'Cisco' started by JohnC, Nov 19, 2004.

  1. JohnC

    JohnC Guest

    I can ping the devices on all 3 subnets, but I can't get outside the
    pix to the Internet. If I connect directly to the pix, I can get to
    the internet. I have see the default router in the 4700 to the pix.
    What do I need to change to be able to get the traffic out to the
    Internet? The PIX 501 IP is 192.168.2.1. I have ommited 6 interfaces
    to shorten this post.

    sho config
    Using 1537 out of 129016 bytes
    !
    version 11.2
    service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname 4700
    !
    ip subnet-zero
    no ip source-route
    no ip bootp server
    no ip domain-lookup
    !
    interface FastEthernet0
    ip address 192.168.2.253 255.255.255.0
    no ip redirects
    full-duplex
    !
    interface FastEthernet1
    ip address 192.168.4.253 255.255.255.0
    full-duplex
    !
    router eigrp 1
    network 192.168.2.0
    network 192.168.1.0
    network 192.168.3.0
    network 192.168.4.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.2.9
    !
    #sho ip route
    Gateway of last resort is 192.168.2.9 to network 0.0.0.0

    C 192.168.2.0/24 is directly connected, FastEthernet0
    S* 0.0.0.0/0 [1/0] via 192.168.2.9
    #
     
    JohnC, Nov 19, 2004
    #1
    1. Advertising

  2. In article <>,
    JohnC <> wrote:
    :I can ping the devices on all 3 subnets, but I can't get outside the
    :pix to the Internet. If I connect directly to the pix, I can get to
    :the internet. I have see the default router in the 4700 to the pix.
    :What do I need to change to be able to get the traffic out to the
    :Internet? The PIX 501 IP is 192.168.2.1.

    Urr, you only show the 4700 configuration. The problem could be with
    the PIX configuration.

    :ip route 0.0.0.0 0.0.0.0 192.168.2.9

    You said the default route on the 4700 was set to the PIX, and
    you said the PIX IP is 192.168.2.1. What's that 192.168.2.9 in
    your 'ip route' statement, and where is your route statement
    to 192.168.2.1 ?
    --
    "The human genome is powerless in the face of chocolate."
    -- Dr. Adam Drewnowski
     
    Walter Roberson, Nov 19, 2004
    #2
    1. Advertising

  3. JohnC

    John Cadella Guest

    We tried a pix at 2.9, 2.1 and also a smc7004 too.

    So to do this, you are saying I need a return route in the pix to get tot eh
    4700?
    Then we can use the smc then I assume.
    Here is a recent pix config.
    PIX Version 6.3(3)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password xxxxxxxxxxxxxxx encrypted

    passwd xxxxxxx encrypted

    hostname xxxxxx

    domain-name cadella.com

    clock timezone EST -5

    clock summer-time EDT recurring

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    access-list outside_access_in remark UDP 500

    access-list outside_access_in permit udp any eq isakmp any eq isakmp

    access-list outside_access_in remark IP Protocol ESP 50

    access-list outside_access_in permit esp any any

    access-list outside_access_in remark SNTP

    access-list outside_access_in permit tcp any eq 123 any

    access-list outside_access_in remark SNTP

    access-list outside_access_in permit udp any eq ntp any

    access-list outside_access_in permit udp any any eq 4500

    access-list outside_access_in permit udp any any eq isakmp

    access-list inside_outbound_nat0_acl permit ip any 192.168.222.44
    255.255.255.252

    access-list outside_cryptomap_dyn_20 permit ip any 192.168.222.44
    255.255.255.252

    access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.222.0
    255.255.255.0

    access-list inside_access_in remark allow any outbound tcp

    access-list inside_access_in permit tcp any any

    access-list inside_access_in remark permit any outbound udp

    access-list inside_access_in permit udp any any

    access-list inside_access_in remark enable any outbound ip

    access-list inside_access_in permit ip any any

    pager lines 24

    logging on

    logging timestamp

    logging console informational

    logging buffered informational

    logging trap informational

    icmp deny any outside

    mtu outside 1500

    mtu inside 1500

    ip address outside pppoe setroute

    ip address inside 192.168.2.9 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    pdm location 192.168.2.0 255.255.255.0 inside

    pdm logging informational 100

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list 101

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    access-group outside_access_in in interface outside

    access-group inside_access_in in interface inside

    timeout xlate 0:05:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.2.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    ESP-3DES-SHA

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside

    isakmp enable outside

    isakmp identity address

    isakmp nat-traversal 20

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption 3des

    isakmp policy 20 hash md5

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 86400

    telnet 192.168.2.0 255.255.255.0 inside

    telnet timeout 5

    ssh timeout 5

    management-access inside

    console timeout 0

    vpdn group pppoe_group request dialout pppoe

    vpdn group pppoe_group localname xxxxxxxxx

    vpdn group pppoe_group ppp authentication pap

    terminal width 80

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cnjqi9$bfs$...
    > In article <>,
    > JohnC <> wrote:
    > :I can ping the devices on all 3 subnets, but I can't get outside the
    > :pix to the Internet. If I connect directly to the pix, I can get to
    > :the internet. I have see the default router in the 4700 to the pix.
    > :What do I need to change to be able to get the traffic out to the
    > :Internet? The PIX 501 IP is 192.168.2.1.
    >
    > Urr, you only show the 4700 configuration. The problem could be with
    > the PIX configuration.
    >
    > :ip route 0.0.0.0 0.0.0.0 192.168.2.9
    >
    > You said the default route on the 4700 was set to the PIX, and
    > you said the PIX IP is 192.168.2.1. What's that 192.168.2.9 in
    > your 'ip route' statement, and where is your route statement
    > to 192.168.2.1 ?
    > --
    > "The human genome is powerless in the face of chocolate."
    > -- Dr. Adam Drewnowski
     
    John Cadella, Nov 19, 2004
    #3
  4. JohnC

    John Cadella Guest

    I should have checked my spelling- I assume we can not use the smc.
    j
    "John Cadella" <> wrote in message
    news:hIend.17351$...
    > We tried a pix at 2.9, 2.1 and also a smc7004 too.
    >
    > So to do this, you are saying I need a return route in the pix to get tot
    > eh 4700?
    > Then we can use the smc then I assume.
    > Here is a recent pix config.
    > PIX Version 6.3(3)
    >
    > interface ethernet0 auto
    >
    > interface ethernet1 100full
    >
    > nameif ethernet0 outside security0
    >
    > nameif ethernet1 inside security100
    >
    > enable password xxxxxxxxxxxxxxx encrypted
    >
    > passwd xxxxxxx encrypted
    >
    > hostname xxxxxx
    >
    > domain-name cadella.com
    >
    > clock timezone EST -5
    >
    > clock summer-time EDT recurring
    >
    > fixup protocol dns maximum-length 512
    >
    > fixup protocol ftp 21
    >
    > fixup protocol h323 h225 1720
    >
    > fixup protocol h323 ras 1718-1719
    >
    > fixup protocol http 80
    >
    > fixup protocol ils 389
    >
    > fixup protocol rsh 514
    >
    > fixup protocol rtsp 554
    >
    > fixup protocol sip 5060
    >
    > fixup protocol sip udp 5060
    >
    > fixup protocol skinny 2000
    >
    > fixup protocol smtp 25
    >
    > fixup protocol sqlnet 1521
    >
    > fixup protocol tftp 69
    >
    > names
    >
    > access-list outside_access_in remark UDP 500
    >
    > access-list outside_access_in permit udp any eq isakmp any eq isakmp
    >
    > access-list outside_access_in remark IP Protocol ESP 50
    >
    > access-list outside_access_in permit esp any any
    >
    > access-list outside_access_in remark SNTP
    >
    > access-list outside_access_in permit tcp any eq 123 any
    >
    > access-list outside_access_in remark SNTP
    >
    > access-list outside_access_in permit udp any eq ntp any
    >
    > access-list outside_access_in permit udp any any eq 4500
    >
    > access-list outside_access_in permit udp any any eq isakmp
    >
    > access-list inside_outbound_nat0_acl permit ip any 192.168.222.44
    > 255.255.255.252
    >
    > access-list outside_cryptomap_dyn_20 permit ip any 192.168.222.44
    > 255.255.255.252
    >
    > access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.222.0
    > 255.255.255.0
    >
    > access-list inside_access_in remark allow any outbound tcp
    >
    > access-list inside_access_in permit tcp any any
    >
    > access-list inside_access_in remark permit any outbound udp
    >
    > access-list inside_access_in permit udp any any
    >
    > access-list inside_access_in remark enable any outbound ip
    >
    > access-list inside_access_in permit ip any any
    >
    > pager lines 24
    >
    > logging on
    >
    > logging timestamp
    >
    > logging console informational
    >
    > logging buffered informational
    >
    > logging trap informational
    >
    > icmp deny any outside
    >
    > mtu outside 1500
    >
    > mtu inside 1500
    >
    > ip address outside pppoe setroute
    >
    > ip address inside 192.168.2.9 255.255.255.0
    >
    > ip audit info action alarm
    >
    > ip audit attack action alarm
    >
    > pdm location 192.168.2.0 255.255.255.0 inside
    >
    > pdm logging informational 100
    >
    > pdm history enable
    >
    > arp timeout 14400
    >
    > global (outside) 1 interface
    >
    > nat (inside) 0 access-list 101
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > access-group outside_access_in in interface outside
    >
    > access-group inside_access_in in interface inside
    >
    > timeout xlate 0:05:00
    >
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    >
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    >
    > aaa-server RADIUS protocol radius
    >
    > aaa-server LOCAL protocol local
    >
    > http server enable
    >
    > http 192.168.2.0 255.255.255.0 inside
    >
    > no snmp-server location
    >
    > no snmp-server contact
    >
    > snmp-server community public
    >
    > no snmp-server enable traps
    >
    > floodguard enable
    >
    > sysopt connection permit-ipsec
    >
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    >
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > ESP-3DES-SHA
    >
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >
    > crypto map outside_map interface outside
    >
    > isakmp enable outside
    >
    > isakmp identity address
    >
    > isakmp nat-traversal 20
    >
    > isakmp policy 20 authentication pre-share
    >
    > isakmp policy 20 encryption 3des
    >
    > isakmp policy 20 hash md5
    >
    > isakmp policy 20 group 2
    >
    > isakmp policy 20 lifetime 86400
    >
    > telnet 192.168.2.0 255.255.255.0 inside
    >
    > telnet timeout 5
    >
    > ssh timeout 5
    >
    > management-access inside
    >
    > console timeout 0
    >
    > vpdn group pppoe_group request dialout pppoe
    >
    > vpdn group pppoe_group localname xxxxxxxxx
    >
    > vpdn group pppoe_group ppp authentication pap
    >
    > terminal width 80
    >
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:cnjqi9$bfs$...
    >> In article <>,
    >> JohnC <> wrote:
    >> :I can ping the devices on all 3 subnets, but I can't get outside the
    >> :pix to the Internet. If I connect directly to the pix, I can get to
    >> :the internet. I have see the default router in the 4700 to the pix.
    >> :What do I need to change to be able to get the traffic out to the
    >> :Internet? The PIX 501 IP is 192.168.2.1.
    >>
    >> Urr, you only show the 4700 configuration. The problem could be with
    >> the PIX configuration.
    >>
    >> :ip route 0.0.0.0 0.0.0.0 192.168.2.9
    >>
    >> You said the default route on the 4700 was set to the PIX, and
    >> you said the PIX IP is 192.168.2.1. What's that 192.168.2.9 in
    >> your 'ip route' statement, and where is your route statement
    >> to 192.168.2.1 ?
    >> --
    >> "The human genome is powerless in the face of chocolate."
    >> -- Dr. Adam Drewnowski

    >
    >
     
    John Cadella, Nov 19, 2004
    #4
  5. In article <iJend.17354$>,
    John Cadella <> wrote:
    :I should have checked my spelling- I assume we can not use the smc.

    Which smc is that? You've mentioned a PIX and a 4700, but not an SMC.
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, Nov 19, 2004
    #5
  6. In article <hIend.17351$>,
    John Cadella <> wrote:
    :We tried a pix at 2.9, 2.1 and also a smc7004 too.

    Opps, I see the smc referenced there now.


    :So to do this, you are saying I need a return route in the pix to get tot eh
    :4700?

    Yes, that's your problem. You have three 192.168.x.0/24 subnets
    being sent to the PIX for output; output will be translated by
    way of the nat (inside) 0.0.0.0 0.0.0.0 command which covers all IPs.
    When the reply comes back from the far end, and the destination
    address gets mapped back to the appropriate 192.168.x.0/24 address,
    the PIX doesn't know that the 192.168.x.0 destinations should be
    sent along back to the 4700, and so will look them up in its routing
    tables, find them matched by the default route, and will then drop
    them instead of sending them back out the outside interface they just
    came in.

    The Cisco output interpreter also has this warning that you should heed:

    WARNING: The 'access-list' statement:
    'access-list outside_access_in permit esp any any'
    allows esp traffic to initiate connections from the outside to a
    higher security level interface, for any source and destination,
    whenever there is an active translation in the PIX.

    TRY THIS: These types of access-lists can be useful for testing in
    a lab environment, but should be used with extreme care in a
    production environment. Check your security policy.
    --
    We don't need no side effect-ing
    We don't need no scope control
    No global variables for execution
    Hey! Did you leave those args alone? -- decvax!utzoo!utcsrgv!roderick
     
    Walter Roberson, Nov 19, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Cadella

    PIX 501 & 4700 & virus proction?

    John Cadella, Nov 21, 2004, in forum: Cisco
    Replies:
    3
    Views:
    967
  2. Replies:
    1
    Views:
    5,278
    Barry Margolin
    Aug 13, 2005
  3. Replies:
    9
    Views:
    5,597
    Scott Perry
    Aug 7, 2008
  4. Replies:
    4
    Views:
    1,493
    Trendkill
    Aug 29, 2008
  5. p0liX
    Replies:
    1
    Views:
    2,154
    adeelasher
    Jun 29, 2009
Loading...

Share This Page