PIX 506E static route problem

Discussion in 'Cisco' started by tfanabe, Oct 31, 2006.

  1. tfanabe

    tfanabe Guest

    Hi all,

    My name is Giulian and I'm writing from Italy.
    I have a problem with PIX 506E 6.3(5).

    The outside interface has a public ip 84.18.156.23/29
    The inside interface has a private ip 10.10.45.254/24
    The local lan use 10.10.45.0/24 address and default gateway is the
    inside interface ip.

    In the inside zone I have a router with ip 10.10.45.253 that is
    connect with Point-to-Point to another network with 10.10.46.0/24
    address.

    I would like to connect with pc of the 10.10.46.0/24 network through
    inside router and so I have insert a route static in the pix
    configuration like:

    route inside 10.10.46.0 255.255.255.0 10.10.45.253 1

    My problem concern that this configuration doesn't running....
    For more security I have try to connect with cross cable to the inside
    router and I can ping the remote pc of 10.10.46.0/24 lan.

    Any idea?
    Thanking in advance and sorry for my english.

    Giulian
     
    tfanabe, Oct 31, 2006
    #1
    1. Advertising

  2. "tfanabe" <> wrote:

    > I have a problem with PIX 506E 6.3(5).
    >
    > The outside interface has a public ip 84.18.156.23/29
    > The inside interface has a private ip 10.10.45.254/24
    > The local lan use 10.10.45.0/24 address and default gateway is the
    > inside interface ip.
    >
    > In the inside zone I have a router with ip 10.10.45.253 that is
    > connect with Point-to-Point to another network with 10.10.46.0/24
    > address.


    PIX doesn't give ICMP redirect. You have to change your
    configuration so that the default gateway is the router.
     
    Jyri Korhonen, Oct 31, 2006
    #2
    1. Advertising

  3. tfanabe wrote:
    > Hi all,
    >
    > My name is Giulian and I'm writing from Italy.
    > I have a problem with PIX 506E 6.3(5).
    >
    > The outside interface has a public ip 84.18.156.23/29
    > The inside interface has a private ip 10.10.45.254/24
    > The local lan use 10.10.45.0/24 address and default gateway is the
    > inside interface ip.
    >
    > In the inside zone I have a router with ip 10.10.45.253 that is
    > connect with Point-to-Point to another network with 10.10.46.0/24
    > address.
    >
    > I would like to connect with pc of the 10.10.46.0/24 network through
    > inside router and so I have insert a route static in the pix
    > configuration like:
    >
    > route inside 10.10.46.0 255.255.255.0 10.10.45.253 1
    >
    > My problem concern that this configuration doesn't running....
    > For more security I have try to connect with cross cable to the inside
    > router and I can ping the remote pc of 10.10.46.0/24 lan.
    >
    > Any idea?
    > Thanking in advance and sorry for my english.
    >
    > Giulian
    >


    If you add the route manually on the workstation not the pix does it
    traverse the point to point link? If not then you might have ACL's
    preventing traffic across the link. The statement you have IMO looks fine.

    For example on a windows PC in a command prompt type:

    route add 10.10.46.0 MASK 255.255.255.0 10.10.45.253

    In *NIX

    route add -net 10.10.46.0 netmask 255.255.255.0 gw 10.10.45.253 dev eth0


    HTH
     
    George W. Bush, Oct 31, 2006
    #3
  4. tfanabe

    CK Guest

    >From your query i understood
    Outside IP Inside IP Outside IP
    Inside IP
    84.**.***.23---PIX---10.10.45.254/24------------10.10.45.254/24--Router--10.10.46.0/24

    >>route inside 10.10.46.0 255.255.255.0 10.10.45.253 1

    It should work

    can you post your config

    CK


    tfanabe wrote:
    > Hi all,
    >
    > My name is Giulian and I'm writing from Italy.
    > I have a problem with PIX 506E 6.3(5).
    >
    > The outside interface has a public ip 84.18.156.23/29
    > The inside interface has a private ip 10.10.45.254/24
    > The local lan use 10.10.45.0/24 address and default gateway is the
    > inside interface ip.
    >
    > In the inside zone I have a router with ip 10.10.45.253 that is
    > connect with Point-to-Point to another network with 10.10.46.0/24
    > address.
    >
    > I would like to connect with pc of the 10.10.46.0/24 network through
    > inside router and so I have insert a route static in the pix
    > configuration like:
    >
    > route inside 10.10.46.0 255.255.255.0 10.10.45.253 1
    >
    > My problem concern that this configuration doesn't running....
    > For more security I have try to connect with cross cable to the inside
    > router and I can ping the remote pc of 10.10.46.0/24 lan.
    >
    > Any idea?
    > Thanking in advance and sorry for my english.
    >
    > Giulian
     
    CK, Oct 31, 2006
    #4
  5. In article <>,
    tfanabe <> wrote:
    >I have a problem with PIX 506E 6.3(5).


    >The inside interface has a private ip 10.10.45.254/24
    >The local lan use 10.10.45.0/24 address and default gateway is the
    >inside interface ip.


    >In the inside zone I have a router with ip 10.10.45.253 that is
    >connect with Point-to-Point to another network with 10.10.46.0/24
    >address.


    >I would like to connect with pc of the 10.10.46.0/24 network through
    >inside router and so I have insert a route static in the pix
    >configuration like:


    > route inside 10.10.46.0 255.255.255.0 10.10.45.253 1


    Where are you starting from when you want to connect to that pc on
    10.10.46/24 ? If you are starting from outside, then the route
    statement you give should be fine, provided that the 10.10.46/24
    network is nat'd (for traffic that is outgoing only) or static'd
    to a public IP if something on 10.10.46/24 is acting as a server
    [a case that would require appropriate outside ACLs.]

    But if you are starting from something on your 10.10.45/24 network
    and expecting that hosts there will send the packet to the PIX
    (because it is their default gateway) and that the PIX will forward it
    over to 10.10.45.253 for transport to 10.10.46/24, then like the
    other poster said, that is not going to work: the PIX does not
    send out ICMP redirects and will just drop the packets.
     
    Walter Roberson, Oct 31, 2006
    #5
  6. tfanabe

    mcaissie Guest


    > >From your query i understood

    > Outside IP Inside IP Outside IP
    > Inside IP
    > 84.**.***.23---PIX---10.10.45.254/24------------10.10.45.254/24--Router--10.10.46.0/24
    >
    >>>route inside 10.10.46.0 255.255.255.0 10.10.45.253 1

    > It should work



    No it should not . This route is only for packets entering the PIX on the
    outside interface. It can then be routed on the inside through the gateway
    mentionned
    in the statement.Or if you ping from the PIX itself as tfanabe did, it will
    work.

    But if the packet comes from the inside it will not be routed back on the
    inside.
    The PIX doesn't allow a packet to leave using the same interface it came
    from.

    The PIX is not a router , unfortunately tfanabe you will need another device
    to accomplish what you are trying to do.












    >
    > can you post your config
    >
    > CK
    >
    >
    > tfanabe wrote:
    >> Hi all,
    >>
    >> My name is Giulian and I'm writing from Italy.
    >> I have a problem with PIX 506E 6.3(5).
    >>
    >> The outside interface has a public ip 84.18.156.23/29
    >> The inside interface has a private ip 10.10.45.254/24
    >> The local lan use 10.10.45.0/24 address and default gateway is the
    >> inside interface ip.
    >>
    >> In the inside zone I have a router with ip 10.10.45.253 that is
    >> connect with Point-to-Point to another network with 10.10.46.0/24
    >> address.
    >>
    >> I would like to connect with pc of the 10.10.46.0/24 network through
    >> inside router and so I have insert a route static in the pix
    >> configuration like:
    >>
    >> route inside 10.10.46.0 255.255.255.0 10.10.45.253 1
    >>
    >> My problem concern that this configuration doesn't running....
    >> For more security I have try to connect with cross cable to the inside
    >> router and I can ping the remote pc of 10.10.46.0/24 lan.
    >>
    >> Any idea?
    >> Thanking in advance and sorry for my english.
    >>
    >> Giulian

    >
     
    mcaissie, Oct 31, 2006
    #6
  7. tfanabe

    CK Guest

    What if we NAT the IPs



    mcaissie wrote:
    > > >From your query i understood

    > > Outside IP Inside IP Outside IP
    > > Inside IP
    > > 84.**.***.23---PIX---10.10.45.254/24------------10.10.45.254/24--Router--10.10.46.0/24
    > >
    > >>>route inside 10.10.46.0 255.255.255.0 10.10.45.253 1

    > > It should work

    >
    >
    > No it should not . This route is only for packets entering the PIX on the
    > outside interface. It can then be routed on the inside through the gateway
    > mentionned
    > in the statement.Or if you ping from the PIX itself as tfanabe did, it will
    > work.
    >
    > But if the packet comes from the inside it will not be routed back on the
    > inside.
    > The PIX doesn't allow a packet to leave using the same interface it came
    > from.
    >
    > The PIX is not a router , unfortunately tfanabe you will need another device
    > to accomplish what you are trying to do.
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > >
    > > can you post your config
    > >
    > > CK
    > >
    > >
    > > tfanabe wrote:
    > >> Hi all,
    > >>
    > >> My name is Giulian and I'm writing from Italy.
    > >> I have a problem with PIX 506E 6.3(5).
    > >>
    > >> The outside interface has a public ip 84.18.156.23/29
    > >> The inside interface has a private ip 10.10.45.254/24
    > >> The local lan use 10.10.45.0/24 address and default gateway is the
    > >> inside interface ip.
    > >>
    > >> In the inside zone I have a router with ip 10.10.45.253 that is
    > >> connect with Point-to-Point to another network with 10.10.46.0/24
    > >> address.
    > >>
    > >> I would like to connect with pc of the 10.10.46.0/24 network through
    > >> inside router and so I have insert a route static in the pix
    > >> configuration like:
    > >>
    > >> route inside 10.10.46.0 255.255.255.0 10.10.45.253 1
    > >>
    > >> My problem concern that this configuration doesn't running....
    > >> For more security I have try to connect with cross cable to the inside
    > >> router and I can ping the remote pc of 10.10.46.0/24 lan.
    > >>
    > >> Any idea?
    > >> Thanking in advance and sorry for my english.
    > >>
    > >> Giulian

    > >
     
    CK, Nov 1, 2006
    #7
  8. In article <>,
    CK <> wrote:

    >What if we NAT the IPs


    There is no point in us answering that question until you answer
    the question I posed in my response: where are the packets
    starting from that you are trying to get through to the second
    subnet?

    Repeating what I said before: if the packets are coming from
    outside, there is no problem. If the packets are coming from
    inside then there is NO way you are going to be able to get your
    PIX 506E to pass the traffic back to the same interface.

    If the packets are originating "inside", then change the
    default gateway of all of those hosts to be the IP address of the
    inside router, so that packets going from inside to the other
    inside subnet do not pass through the PIX.

    If you can't do that for some reason, your only other hope
    is that you are using an 802.1Q compatible switch and that you
    implement two "logical interfaces" on the same physical interface,
    with different IP subnets for each. The PIX 506E running 6.3(3) or
    later [such as your 6.3(5)] *will* forward between different IP subnets
    on the same physical interface, if those subnets are on different
    "logical interfaces". Which has its own drawbacks: the two
    logical interfaces will have to be at different security levels
    than each other and you will need to define nat/global/access-group
    and so on.
     
    Walter Roberson, Nov 1, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce Cao
    Replies:
    3
    Views:
    4,523
    Barry Margolin
    Dec 6, 2005
  2. Replies:
    5
    Views:
    4,388
    Christoph Gartmann
    Jan 18, 2006
  3. perimere
    Replies:
    0
    Views:
    1,138
    perimere
    Mar 27, 2007
  4. Replies:
    9
    Views:
    5,321
    Scott Perry
    Aug 7, 2008
  5. Replies:
    1
    Views:
    812
    Trendkill
    Apr 1, 2009
Loading...

Share This Page