PIX static route not working, im desperate!

Discussion in 'Cisco' started by Davide Corrado, Jan 28, 2008.

  1. hello, im a UNIX system admin and sometimes i have to put my hands on
    cisco stuff. Usually i can do it reading docs online, but this time im
    really desperate. I hope someone here can help me to solve my problem... :)

    Im unsing a pix 515E with firmware 8.0.2


    SERVER FARM
    X.X.X.X
    |
    |
    ADSL
    |
    |
    192.168.69.30
    OFFICE LAN (addresses 192.168.69.0/24)
    |
    |
    |
    PIX 515E (internal address 192.168.69.253, extern Y.Y.Y.Y)
    |
    |
    INTERNET

    So we have an ADSL link that connects our office LAN to a server farm,
    (our LAN has addresses of this kind: 192.168.69.X), we are connected to
    Internet using a second ADSL link.
    What we need is to reach the servers in the server farm using the pix
    vpn. I put a static route in the pix configuration but its not working
    when i connect to the pix using the vpn. And when im am in the LAN, i
    have to manually insert in my pc the static route that sends all traffic
    to X.X.X.X via 192.168.69.30.
    I dont understand what is wrong, could you please help me?

    PIX Version 8.0(2)
    !
    hostname PIXNSC
    domain-name xxxxxxxxx
    enable password RKODEhJ1uwKzCJ1e encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address Y.Y.Y.Y 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.69.253 255.255.255.0
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd ************** encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name nscsrl.it
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq www
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq pop3
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5222
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5223
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq
    https
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq smtp
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 995
    access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 465
    access-list outside_access_in extended permit tcp host 85.18.117.122
    host Y.Y.Y.139 eq ssh
    access-list outside_access_in extended permit tcp host 85.18.117.122
    host Y.Y.Y.139 eq 3306
    access-list outside_access_in extended permit tcp host 85.18.117.122
    host Y.Y.Y.139 eq 7129
    access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq www
    access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 8554
    access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6968
    access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6969
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.145
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.146
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.147
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.148
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.149
    access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host
    192.168.69.150
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnpool1 192.168.69.145-192.168.69.150 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) Y.Y.Y.140 192.168.69.41 netmask 255.255.255.255
    static (inside,outside) Y.Y.Y.142 192.168.69.220 netmask 255.255.255.255
    static (inside,outside) Y.Y.Y.139 192.168.69.42 netmask 255.255.255.255
    static (inside,outside) Y.Y.Y.141 192.168.69.47 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.X.137 1 << QUESTA E' LA ROTTA VERSO IL
    MODEM ADSL PER NAVIGARE
    route inside X.X.X.X 255.255.255.0 192.168.69.30 1 <<QUESTA E' LA ROTTA
    STATICA VERSO LA FARM
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication serial console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set nsc esp-3des esp-md5-hmac
    crypto dynamic-map map2 10 set transform-set nsc
    crypto dynamic-map map2 10 set reverse-route
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh 192.168.69.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    username Administrator password ************** encrypted
    username corrado password ************ encrypted
    tunnel-group nscvpn type remote-access
    tunnel-group nscvpn general-attributes
    address-pool vpnpool1
    tunnel-group nscvpn ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:755f1e6a91c1b8423e16b7560519436f
    : end
    PIXNSC#
     
    Davide Corrado, Jan 28, 2008
    #1
    1. Advertising

  2. Davide Corrado

    Chris Guest

    On Mon, 28 Jan 2008 16:39:18 +0100, Davide Corrado wrote:

    > hello, im a UNIX system admin and sometimes i have to put my hands on
    > cisco stuff. Usually i can do it reading docs online, but this time im
    > really desperate. I hope someone here can help me to solve my problem... :)
    >
    > Im unsing a pix 515E with firmware 8.0.2
    >
    >
    > SERVER FARM
    > X.X.X.X
    > |
    > |
    > ADSL
    > |
    > |
    > 192.168.69.30
    > OFFICE LAN (addresses 192.168.69.0/24)
    > |
    > |
    > |
    > PIX 515E (internal address 192.168.69.253, extern Y.Y.Y.Y)
    > |
    > |
    > INTERNET
    >
    > So we have an ADSL link that connects our office LAN to a server farm,
    > (our LAN has addresses of this kind: 192.168.69.X), we are connected to
    > Internet using a second ADSL link.
    > What we need is to reach the servers in the server farm using the pix
    > vpn. I put a static route in the pix configuration but its not working
    > when i connect to the pix using the vpn. And when im am in the LAN, i
    > have to manually insert in my pc the static route that sends all traffic
    > to X.X.X.X via 192.168.69.30.
    > I dont understand what is wrong, could you please help me?
    >


    > interface Ethernet1
    > nameif inside
    > security-level 100
    > ip address 192.168.69.253 255.255.255.0
    > !


    > route inside X.X.X.X 255.255.255.0 192.168.69.30 1 <<QUESTA E' LA ROTTA


    So it looks like what you are trying to do is from the internal LAN on
    192.168.69.x you are trying to use this pix as a gateway and have internet
    traffic hitting this pix on 192.168.69.253 route back inside the network to
    the ADSL gateway on 192.168.69.30. This has been covered many times and
    won't work because the pix is not a router. Traffic that enters the pix on
    one interface must leave it via another interface. You can't 'route on a
    stick', ie. have traffic come into the inside interface and then be routed
    back out of that same interface.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

    Chris.
     
    Chris, Jan 28, 2008
    #2
    1. Advertising

  3. In article <1062ywl8zsbnc.1ahqfclu4bbg1$>,
    Chris <> wrote:
    >On Mon, 28 Jan 2008 16:39:18 +0100, Davide Corrado wrote:


    >> Im unsing a pix 515E with firmware 8.0.2


    >So it looks like what you are trying to do is from the internal LAN on
    >192.168.69.x you are trying to use this pix as a gateway and have internet
    >traffic hitting this pix on 192.168.69.253 route back inside the network to
    >the ADSL gateway on 192.168.69.30. This has been covered many times and
    >won't work because the pix is not a router. Traffic that enters the pix on
    >one interface must leave it via another interface. You can't 'route on a
    >stick', ie. have traffic come into the inside interface and then be routed
    >back out of that same interface.


    Notice that the original poster said PIX 8.0.2.

    Since 7.2,
    same-security-traffic permit-intra-interface
    "permits traffic to enter and leave the same interface, and
    not just IPSec traffic".
     
    Walter Roberson, Jan 28, 2008
    #3
  4. I knew that starting from 7.0 this kind of traffic was supported (i
    didnt know how to activate it anyway :)).

    well, i inserted
    same-security-traffic permit intra-interface
    in the configuration. right now im connected to the office lan and i
    deleted the static route that conduits to the server farm from my pc to
    see if now the pix static rule is working in the lan... and its not
    working... what else can i do?

    > Since 7.2,
    > same-security-traffic permit-intra-interface


    > "permits traffic to enter and leave the same interface, and
    > not just IPSec traffic".
    >
     
    Davide Corrado, Jan 29, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce Cao
    Replies:
    3
    Views:
    4,548
    Barry Margolin
    Dec 6, 2005
  2. perimere
    Replies:
    0
    Views:
    1,166
    perimere
    Mar 27, 2007
  3. Replies:
    9
    Views:
    5,614
    Scott Perry
    Aug 7, 2008
  4. Replies:
    1
    Views:
    833
    Trendkill
    Apr 1, 2009
  5. Replies:
    0
    Views:
    573
Loading...

Share This Page