pix no route to host, but there is a route

Discussion in 'Cisco' started by Karnov, Feb 2, 2006.

  1. Karnov

    Karnov Guest

    Hi all,

    I've got a PIX 506e which has the following config:

    PIX Version 6.3(5)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname chqpix
    domain-name example.com
    names
    name 192.168.4.0 mitelnet
    name 10.20.6.0 globixnet
    name 10.0.2.0 chqnet
    object-group service web tcp
    description HTTP and HTTPS
    port-object eq www
    port-object eq https
    access-list inside_outbound_nat0_acl permit ip chqnet 255.255.255.0 globixnet
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip mitelnet 255.255.255.0 globixnet
    255.255.255.0
    access-list outside_cryptomap_20 permit ip chqnet 255.255.255.0 globixnet
    255.255.255.0
    access-list outside_cryptomap_20 permit ip mitelnet 255.255.255.0 globixnet
    255.255.255.0
    access-list outside_access_in permit tcp any host 1.1.25.227 object-group web
    access-list outside_access_in permit icmp any any
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.1.202.218 255.255.255.252
    ip address inside 10.0.2.2 255.255.255.0
    ip verify reverse-path interface outside
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 1.1.25.227 10.0.2.11 netmask 255.255.255.255 0 0
    static (inside,outside) 1.1.25.226 10.0.2.50 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.202.217 1
    route inside mitelnet 255.255.255.0 10.0.2.1 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group5
    crypto map outside_map 20 set peer 1.1.152.18
    crypto map outside_map 20 set transform-set ESP-AES-128-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.152.18 netmask 255.255.255.255 no-xauth
    isakmp keepalive 60 10
    isakmp nat-traversal 15
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 5
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 5
    isakmp policy 60 lifetime 86400

    chqpix# show route
    outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
    inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
    inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
    outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT static

    There's clearly a static route for 192.168.4.0 255.255.255.0 to 10.0.2.1.

    The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to 192.168.4.0 I
    get a no route to host error on the PIX:

    110001: No route to 192.168.4.2 from 10.0.2.23

    But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to 192.168.4.0.

    Does anyone see why this could be happening?

    thanks
    Karnov
    Karnov, Feb 2, 2006
    #1
    1. Advertising

  2. Hello, Karnov!
    You wrote on 2 Feb 2006 08:08:57 -0800:

    K> chqpix# show route
    K> outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
    K> inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
    K> inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
    K> outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT
    K> static

    K> There's clearly a static route for 192.168.4.0 255.255.255.0 to
    K> 10.0.2.1.

    K> The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to
    K> 192.168.4.0 I get a no route to host error on the PIX:

    K> 110001: No route to 192.168.4.2 from 10.0.2.23

    K> But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to
    K> 192.168.4.0.

    K> Does anyone see why this could be happening?

    PIX is not a router. Traffic has to cross PIX from one interface to another. In
    your case traffic is entering on inside interface and suppose to exit on the
    same inside interface. Can't do.

    With best regards,
    Andrey.
    Andrey Tarasov, Feb 2, 2006
    #2
    1. Advertising

  3. Karnov

    Karnov Guest

    In article <drtgjn$1nds$>, Andrey Tarasov says...
    >
    >Hello, Karnov!
    >You wrote on 2 Feb 2006 08:08:57 -0800:
    >
    > K> chqpix# show route
    > K> outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
    > K> inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
    > K> inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
    > K> outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT
    > K> static
    >
    > K> There's clearly a static route for 192.168.4.0 255.255.255.0 to
    > K> 10.0.2.1.
    >
    > K> The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to
    > K> 192.168.4.0 I get a no route to host error on the PIX:
    >
    > K> 110001: No route to 192.168.4.2 from 10.0.2.23
    >
    > K> But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to
    > K> 192.168.4.0.
    >
    > K> Does anyone see why this could be happening?
    >
    >PIX is not a router. Traffic has to cross PIX from one interface to another. In
    >your case traffic is entering on inside interface and suppose to exit on the
    >same inside interface. Can't do.


    Andrey,

    Thanks for your input, but I forgot to add that this did work yesterday, and
    among some config changes it no longer works. I'm not asking the PIX to route,
    I'm asking it to do an ICMP redirect to tell clients to connect to 10.0.2.1 to
    talk to 192.168.4.0.

    Karnov
    Karnov, Feb 2, 2006
    #3
  4. In article <>,
    Karnov <> wrote:
    >I'm not asking the PIX to route,
    >I'm asking it to do an ICMP redirect to tell clients to connect to 10.0.2.1 to
    >talk to 192.168.4.0.


    PIX 6.x never does ICMP redirects. PIX 6 is specifically designed to
    drop all traffic except that which is directed to the PIX itself and
    that which traverses between interfaces with different security levels.
    Walter Roberson, Feb 2, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    1
    Views:
    1,173
    mcaissie
    Apr 21, 2004
  2. JoelSeph
    Replies:
    9
    Views:
    6,713
    JoelSeph
    Jan 23, 2006
  3. Jojo the 90lb hottie

    Dane Cook: Great S.N.L. host or GREATEST S.N.L. host?

    Jojo the 90lb hottie, Feb 14, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    662
    Flash Bazbo
    Feb 14, 2007
  4. Replies:
    8
    Views:
    6,866
  5. Replies:
    9
    Views:
    5,050
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page