Static route on PIX 506e

Discussion in 'Cisco' started by ingo@tiede.it, Jan 18, 2006.

  1. Guest

    Hi all,

    I tried to establish a static route on a PIX 506e but it does not work.
    Maybe someone has an idea what is wrong or what I missed and can give
    me an advice.

    This is the scenario:
    The inside interface has the adress 192.168.20.10 in the subnet
    192.168.20.0/24.
    The outside interface has a public IP-Adress.
    The default route is set correctly and works propperly.

    Now I added a new router at the private segment with the adress
    192.168.20.12 which routes packets to the subnet 10.254.249.0. I added
    the following static route to the PIX configuration with the PDM Tool:

    Interface: inside
    IP-Adress: 10.254.249.0
    Netmask: 255.255.255.0
    Gateway: 192.168.20.12
    Metric: 1

    But I do not get a connection to hosts on the 10.254.249.0 Network.
    When I define a static route to this network on the Windows OS the
    connection works propperly so the failure must be in the PIX
    configuration.

    Any help is highly appreciated.

    TIA ... ingo
     
    , Jan 18, 2006
    #1
    1. Advertising

  2. In article <>, "" <> writes:
    >Hi all,
    >
    >I tried to establish a static route on a PIX 506e but it does not work.
    >Maybe someone has an idea what is wrong or what I missed and can give
    >me an advice.
    >
    >This is the scenario:
    >The inside interface has the adress 192.168.20.10 in the subnet
    >192.168.20.0/24.
    >The outside interface has a public IP-Adress.
    >The default route is set correctly and works propperly.
    >
    >Now I added a new router at the private segment with the adress
    >192.168.20.12 which routes packets to the subnet 10.254.249.0. I added
    >the following static route to the PIX configuration with the PDM Tool:
    >
    >Interface: inside
    >IP-Adress: 10.254.249.0
    >Netmask: 255.255.255.0
    >Gateway: 192.168.20.12
    >Metric: 1
    >
    >But I do not get a connection to hosts on the 10.254.249.0 Network.
    >When I define a static route to this network on the Windows OS the
    >connection works propperly so the failure must be in the PIX
    >configuration.


    Telnet to the pix and enter "sho running". Without your configuration it is
    almost impossible to help you.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jan 18, 2006
    #2
    1. Advertising

  3. Guest

    Hi Christof,

    thanks for your advice. Here is the running configuration:

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password **************** encrypted
    passwd **************** encrypted
    hostname pix
    domain-name main-fm.local
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    no fixup protocol dns
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.20.1 SRV-OFFICE
    name 192.168.20.99 Streaming-Server
    name 192.168.20.2 SRV-Transfer
    access-list outside_access_in permit tcp any host 87.234.193.75 eq ftp
    access-list outside_access_in permit tcp any host 87.234.193.74 eq smtp

    access-list outside_access_in permit tcp any host 87.234.193.74 eq
    https
    access-list outside_access_in permit tcp any host 87.234.193.74 eq ftp
    access-list outside_access_in permit tcp host 217.9.109.66 host
    87.234.193.74 eq 1433
    access-list outside_access_in permit tcp any host 87.234.193.76 eq 2233

    access-list outside_access_in permit tcp any host 87.234.193.76 eq 3389

    access-list outside_access_in permit tcp host 217.9.109.66 host
    87.234.193.74 eq 3389
    access-list inside_outbound_nat0_acl permit ip any 192.168.20.64
    255.255.255.192
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 87.234.193.78 255.255.255.248
    ip address inside 192.168.20.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN_IP 192.168.20.95-192.168.20.98
    pdm location 192.168.20.0 255.255.255.0 inside
    pdm location SRV-OFFICE 255.255.255.255 inside
    pdm location SRV-Transfer 255.255.255.255 inside
    pdm location 217.9.109.66 255.255.255.255 outside
    pdm location Streaming-Server 255.255.255.255 inside
    pdm location 192.168.20.64 255.255.255.192 outside
    pdm location 192.168.20.0 255.255.255.0 outside
    pdm location 0.0.0.0 255.255.255.255 inside
    pdm location 10.254.249.0 255.255.255.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 87.234.193.75 SRV-Transfer netmask
    255.255.255.255 0 0
    static (inside,outside) 87.234.193.74 SRV-OFFICE netmask
    255.255.255.255 0 0
    static (inside,outside) 87.234.193.76 Streaming-Server netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.20.0 10.254.249.0 netmask 255.255.255.0
    0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 87.234.193.73 1
    route inside 10.254.249.0 255.255.255.0 192.168.20.12 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 192.53.103.103 source outside prefer
    http server enable
    http 192.168.20.0 255.255.255.0 outside
    http 192.168.20.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet 192.168.20.0 255.255.255.0 outside
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local VPN_IP
    vpdn group PPTP-VPDN-GROUP client configuration dns SRV-OFFICE
    vpdn group PPTP-VPDN-GROUP client configuration wins SRV-OFFICE
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username *********** password *********
    vpdn enable outside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    Cryptochecksum:a105fa75b7f7af09cb2158e7981b624e
    : end
    [OK]

    Christoph Gartmann wrote:
    > In article <>, "" <> writes:
    > >Hi all,
    > >
    > >I tried to establish a static route on a PIX 506e but it does not work.
    > >Maybe someone has an idea what is wrong or what I missed and can give
    > >me an advice.
    > >
    > >This is the scenario:
    > >The inside interface has the adress 192.168.20.10 in the subnet
    > >192.168.20.0/24.
    > >The outside interface has a public IP-Adress.
    > >The default route is set correctly and works propperly.
    > >
    > >Now I added a new router at the private segment with the adress
    > >192.168.20.12 which routes packets to the subnet 10.254.249.0. I added
    > >the following static route to the PIX configuration with the PDM Tool:
    > >
    > >Interface: inside
    > >IP-Adress: 10.254.249.0
    > >Netmask: 255.255.255.0
    > >Gateway: 192.168.20.12
    > >Metric: 1
    > >
    > >But I do not get a connection to hosts on the 10.254.249.0 Network.
    > >When I define a static route to this network on the Windows OS the
    > >connection works propperly so the failure must be in the PIX
    > >configuration.

    >
    > Telnet to the pix and enter "sho running". Without your configuration it is
    > almost impossible to help you.
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
     
    , Jan 18, 2006
    #3
  4. In article <>, "" <> writes:
    >thanks for your advice. Here is the running configuration:

    [...]
    >static (inside,outside) 192.168.20.0 10.254.249.0 netmask 255.255.255.0 0 0


    This statement is conflicting with the following one:

    >route inside 10.254.249.0 255.255.255.0 192.168.20.12 1


    Why do you have this static statement?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jan 18, 2006
    #4
  5. Guest

    Hmmmmmh, I do not know.
    I did not explizit configure this static, I just tried to configure a
    static route. Can you tell me, how to delete this static? I prefer
    using PDM.

    Thank you very much. Your comments are a great help for me .-)

    Ingo
     
    , Jan 18, 2006
    #5
  6. In article <>, "" <> writes:
    >Hmmmmmh, I do not know.
    >I did not explizit configure this static, I just tried to configure a
    >static route. Can you tell me, how to delete this static? I prefer
    >using PDM.


    As I am not familiar with the PDM I can only tell you how to do it from the
    command line:
    - telnet to the pix
    - at the prompt (e.g. "pix> ") type "enable" and enter the privileged password
    - at the new prompt (e.g. "pix# ") type "conf term".
    - next enter a "no static..."
    - to make the change permament enter "write mem", otherwise the change is
    only persistend until the next reboot of the Pix.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jan 18, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce Cao
    Replies:
    3
    Views:
    4,543
    Barry Margolin
    Dec 6, 2005
  2. tfanabe

    PIX 506E static route problem

    tfanabe, Oct 31, 2006, in forum: Cisco
    Replies:
    7
    Views:
    564
    Walter Roberson
    Nov 1, 2006
  3. perimere
    Replies:
    0
    Views:
    1,160
    perimere
    Mar 27, 2007
  4. Replies:
    9
    Views:
    5,584
    Scott Perry
    Aug 7, 2008
  5. Replies:
    1
    Views:
    829
    Trendkill
    Apr 1, 2009
Loading...

Share This Page