PIX route issue

Discussion in 'Cisco' started by Ned, Mar 24, 2006.

  1. Ned

    Ned Guest

    user in 172.17.12.91 (inside network) is pinging 192.168.1.1 (DMZ
    network)
    The access switch (console port) for the 172 network can PING all
    devices in the DMZ network
    Both are on "connected interfaces"- so shouldn't
    need a static route. In fact if I try to insert a static route
    the firewall says "route already exists"

    PIX messages are:
    110001: No route to 172.17.12.91 from 192.168.1.1
    110001: No route to 172.17.12.91 from 192.168.1.1
    110001: No route to 172.17.12.91 from 192.168.1.1

    pixfirewall(config)#
    pixfirewall(config)#
    pixfirewall(config)#
    pixfirewall(config)#
    pixfirewall(config)# no logging on
    pixfirewall(config)# sho route
    outside 0.0.0.0 0.0.0.0 194.196.37.1 1 OTHER static
    inside 10.96.128.0 255.255.240.0 10.96.128.1 1 OTHER static
    inside 10.97.20.0 255.255.252.0 10.97.23.250 1 OTHER static
    intf3 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT static
    inside 172.17.0.0 255.255.0.0 172.17.0.253 1 CONNECT static
    DMZ 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    inside 192.168.6.0 255.255.255.0 192.168.6.1 1 OTHER static
    outside 194.196.37.0 255.255.255.240 194.196.37.2 1 CONNECT
    static
    pixfirewall(config)#

    Any ideas please , Ned
     
    Ned, Mar 24, 2006
    #1
    1. Advertising

  2. Ned

    chris Guest

    "Ned" <> wrote in message
    news:...
    > user in 172.17.12.91 (inside network) is pinging 192.168.1.1 (DMZ
    > network)
    > The access switch (console port) for the 172 network can PING all
    > devices in the DMZ network
    > Both are on "connected interfaces"- so shouldn't
    > need a static route. In fact if I try to insert a static route
    > the firewall says "route already exists"
    >
    > PIX messages are:
    > 110001: No route to 172.17.12.91 from 192.168.1.1
    > 110001: No route to 172.17.12.91 from 192.168.1.1
    > 110001: No route to 172.17.12.91 from 192.168.1.1
    >
    > pixfirewall(config)#
    > pixfirewall(config)#
    > pixfirewall(config)#
    > pixfirewall(config)#
    > pixfirewall(config)# no logging on
    > pixfirewall(config)# sho route
    > outside 0.0.0.0 0.0.0.0 194.196.37.1 1 OTHER static
    > inside 10.96.128.0 255.255.240.0 10.96.128.1 1 OTHER static
    > inside 10.97.20.0 255.255.252.0 10.97.23.250 1 OTHER static
    > intf3 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT static
    > inside 172.17.0.0 255.255.0.0 172.17.0.253 1 CONNECT static
    > DMZ 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    > inside 192.168.6.0 255.255.255.0 192.168.6.1 1 OTHER static
    > outside 194.196.37.0 255.255.255.240 194.196.37.2 1 CONNECT
    > static
    > pixfirewall(config)#
    >
    > Any ideas please , Ned
    >


    You say that the user on 172.17.12.91 is pinging a host in the DMZ. What's
    the question? Is this working or not? Can the user ping any other devices in
    the DMZ? Can the user ping anything else outside the local LAN?

    Have you checked the routing table on the LAN host? They will need a default
    gateway to be able to get out from the LAN.

    Chris.
     
    chris, Mar 24, 2006
    #2
    1. Advertising

  3. Ned

    Ned Guest

    No - the user cannot PING the DMZ devices. That's what the router
    message "110001: No route to 172.17.12.91 from 192.168.1.1" is saying.
    The user is 172.17.12.91. The 172.17 users have a default gateway - the
    default gateway CAN ping the DMZ devices. It is the PIX saying it has
    no route to the client - but it has a connected interface "inside
    172.17.0.0 255.255.0.0 172.17.0.253 1 CONNECT static". That's my
    problem - the PIX is saying it has no route to that client, but it is
    also saying it has a connected interface for that network.

    chris wrote:
    > "Ned" <> wrote in message
    > news:...
    > > user in 172.17.12.91 (inside network) is pinging 192.168.1.1 (DMZ
    > > network)
    > > The access switch (console port) for the 172 network can PING all
    > > devices in the DMZ network
    > > Both are on "connected interfaces"- so shouldn't
    > > need a static route. In fact if I try to insert a static route
    > > the firewall says "route already exists"
    > >
    > > PIX messages are:
    > > 110001: No route to 172.17.12.91 from 192.168.1.1
    > > 110001: No route to 172.17.12.91 from 192.168.1.1
    > > 110001: No route to 172.17.12.91 from 192.168.1.1
    > >
    > > pixfirewall(config)#
    > > pixfirewall(config)#
    > > pixfirewall(config)#
    > > pixfirewall(config)#
    > > pixfirewall(config)# no logging on
    > > pixfirewall(config)# sho route
    > > outside 0.0.0.0 0.0.0.0 194.196.37.1 1 OTHER static
    > > inside 10.96.128.0 255.255.240.0 10.96.128.1 1 OTHER static
    > > inside 10.97.20.0 255.255.252.0 10.97.23.250 1 OTHER static
    > > intf3 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT static
    > > inside 172.17.0.0 255.255.0.0 172.17.0.253 1 CONNECT static
    > > DMZ 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    > > inside 192.168.6.0 255.255.255.0 192.168.6.1 1 OTHER static
    > > outside 194.196.37.0 255.255.255.240 194.196.37.2 1 CONNECT
    > > static
    > > pixfirewall(config)#
    > >
    > > Any ideas please , Ned
    > >

    >
    > You say that the user on 172.17.12.91 is pinging a host in the DMZ. What's
    > the question? Is this working or not? Can the user ping any other devices in
    > the DMZ? Can the user ping anything else outside the local LAN?
    >
    > Have you checked the routing table on the LAN host? They will need a default
    > gateway to be able to get out from the LAN.
    >
    > Chris.
     
    Ned, Mar 26, 2006
    #3
  4. Ned

    Merv Guest

    do you have a static to dmz ?

    static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
     
    Merv, Mar 26, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    3
    Views:
    670
  2. Replies:
    1
    Views:
    5,283
    Barry Margolin
    Aug 13, 2005
  3. Karnov
    Replies:
    3
    Views:
    6,584
    Walter Roberson
    Feb 2, 2006
  4. VeeDub

    Issue with PIX to Route VPN

    VeeDub, Nov 5, 2006, in forum: Cisco
    Replies:
    3
    Views:
    487
    Brian V
    Nov 6, 2006
  5. Replies:
    9
    Views:
    5,613
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page