Cisco PIX Routing

Unanswered Question
Mar 15th, 2007
User Badges:

Hello all,


I need your help. I cannot ping or access 2nd local subnet from PIX.


Structure:


PIX ---- Server 2003 ----Subnet1 + Subnet2


PIX

===

ip address outside pppoe setroute

ip address inside 192.168.5.254 255.255.255.0


Server 2003 IP Add1: 5.200

Server 2003 IP Add2: 10.200


From Client PCs I can access, ping internet addresses and other subnets. Working


From PIX I cannot only ping 5.200, cannot ping 10.200


What should I do?


Thanks in advance


PIX Config

==========

access-list 101 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 103 permit icmp any any

icmp permit any outside

icmp permit any inside

ip address outside pppoe setroute

ip address inside 192.168.5.254 255.255.255.0

ip local pool vpnpool 192.168.3.3-192.168.3.20

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 192.168.5.0 255.255.255.0 0 0

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 103 in interface outside


Thanks in advance


Zati




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 03/15/2007 - 10:18
User Badges:
  • Green, 3000 points or more

Are all clients on 192.168.5.0 ?


route inside 192.168.10.0 255.255.255.0

atacan2006 Thu, 03/15/2007 - 13:43
User Badges:

Some clients are on 192.168.5.0 and some are 192.168.10.0.


All clients can reach all the possible networks (also internet) and can ping.


Only from PIX Firewall I cannot ping the network 192.168.10.0.


I have also tried the following:


route inside 192.168.10.0 255.255.255.0


that didn't work.


!!!I wrote by mistake that I cannot ping network 192.168.5.0 from PIX. That works...Sorry!!!


Thanks for your reply.



acomiskey Thu, 03/15/2007 - 17:47
User Badges:
  • Green, 3000 points or more

Now I'm confused....could you post a "show route" on the pix?

atacan2006 Fri, 03/16/2007 - 00:45
User Badges:

Here it is:


outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.254 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static

Jon Marshall Fri, 03/16/2007 - 01:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Your route to the 192.168.10.0 network is pointing to the same gateway as your route to the 192.168.5.0 network.

This is the problem. 192.168.5.254 is the inside interface of your pix. So your routing table says to get to 192.168.10.0 go to the inside interface of the pix which is clearly wrong.


You have 2 subnets in your network


192.168.5.0

192.168.10.0


Do you have a router internally that routes between these subnets. if you do, then you need to do as Adam has suggested and point a route to the 192.168.10.0 network to go via your internal router eg.


say your internal router interface had an ip address of 192.168.5.253. On the pix


route inside 192.168.10.0 255.255.255.0 192.168.5.253


If you don't have an internal router then how are your running two separate subnets internally ?


Hope this makes sense


Jon

atacan2006 Fri, 03/16/2007 - 02:38
User Badges:

Thank u Jon, That makes sense.


I have a Window 2003 Server configured as RRAS.


W2K3 have 2 interfaces:

Interface1 :192.168.5.200/24

Interface2 :192.168.10.200/24


from the Clients I have no problem.


Host 192.168.10.40 can ping 192.168.5.254(router inside)


new sh route:


outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.200 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static


Still cannot access or ping 192.168.10.0 network from PIX


(config)# ping 192.168.10.200

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms


AqidosPix(config)# ping 192.168.5.200

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

Jon Marshall Fri, 03/16/2007 - 02:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I'm not familiar with RRAS but do you have IP routing functionality turned on on the W2K3 server.


one thing you can try which might help narrow down where the issue is, on the pix


debug packet inside dst 192.168.10.200

debug packet inside src 192.168.10.200


This should show you how far the pings are getting ie. are they just leaving the pix or are you seeing packets coming back.


Can you try pinging a host beyond the 192.168.10.200 interface - ie any other host on the 192.168.10.x subnet.


Jon

atacan2006 Fri, 03/16/2007 - 03:58
User Badges:



I coud not ping a host too, but host can ping router interface.


I think the packets are just leaving


here is the ping info:


-------- PACKET ---------


-- IP --

192.168.5.254 ==> 192.168.10.200


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5201 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd7a8


-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d


--------- END OF PACKET ---------

192.168.10.200 NO response received -- 1000ms




--------- PACKET ---------


-- IP --

192.168.5.254 ==> 192.168.10.38


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5211 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd83a


-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d


--------- END OF PACKET ---------


192.168.10.38 NO response received -- 1000ms




acomiskey Fri, 03/16/2007 - 06:24
User Badges:
  • Green, 3000 points or more

Routing is obviously working as you can get to the internet from the 10 network. Are you sure these hosts are pingable, can you ping them from the same network?

atacan2006 Fri, 03/16/2007 - 06:31
User Badges:

Yup,


Host are pingable.


Example


HostA can ping HostB on 192.168.10.0 network

Server can ping Hosts on 192.168.10.0 network

Hosts can ping both interfaces of PIX


PIX can ping nur Hosts on 192.168.5.0 network

but cannot ping 192.168.10.0 network including 192.168.10.200(RRAS server)


Also Server can ping both networks.


Network

=======


PIX(5.254)----(5.200)RRAS Server 2003(10.200)----(10.38)HostA----(10.40)HostB

|

HostC(5.10)



acomiskey Fri, 03/16/2007 - 06:51
User Badges:
  • Green, 3000 points or more

What is HostC connecting to in your diagram?

Jon Marshall Fri, 03/16/2007 - 06:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay this is getting very confusing :-).


Basically a ping from a client on 192.168.10.x will get a reply from the pix inside interface but the if the ping is initiated from the pix it doesn't work.


Do you have type of firewall on your 192.168.10.x clients that could be stopping this. unlikely as the pix can ping the 192.168.5.x addresses.


Only other thing i can think of at the moment is are there any settings in the RRAS configuration that would be stopping this.


What happens when you try and ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network ?


Jon

atacan2006 Fri, 03/16/2007 - 07:17
User Badges:

It's very strange i know.


ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network NOT WORKING!!!


ping from a client in the 192.168.10.x network to a client in the 192.168.5.x network WORKING (also can access resources ie:shared folders on 5.x client)


somehow routing or pinging works one-way


I'll stop all firewall, antivirus activities.






Jon Marshall Fri, 03/16/2007 - 07:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes, very strange. If the clients on both subnets have the same builds/settings i would concentrate on the setup of the RRAS server.


Jon

acomiskey Fri, 03/16/2007 - 09:05
User Badges:
  • Green, 3000 points or more

Just curious, what is default gateway for 5 network clients, inside pix or rras server?

atacan2006 Fri, 03/16/2007 - 17:18
User Badges:

Clients have 192.168.5.254 (router inside)


RRAS Server has no Default Gateway for 192.168.10.0 network.


Also for 192.168.5.0 network RRAS Server Default Gateway is 192.168.5.254

acomiskey Fri, 03/16/2007 - 19:16
User Badges:
  • Green, 3000 points or more

Why is the default gateway for the router, the router? Why not inside pix?

atacan2006 Sat, 03/17/2007 - 11:17
User Badges:

Sorry acomiskey I didn't understand your question.


for the RRAS Server


Interface1:

===========

IP Address: 192.168.5.200/24

Default Gateway: 192.168.5.254 (IP Address of inside PIX)


Interface2:

===========

IP Address: 192.168.10.200/24

Default Gateway: (No Default Gateway)



acomiskey Sat, 03/17/2007 - 11:54
User Badges:
  • Green, 3000 points or more

ok sorry, you referenced 5.254 being router ip address above, not pix.

estoeckle Wed, 03/28/2007 - 01:40
User Badges:

Any chance you are using Pix/ASA 7.2x OS? There seems to be an issue with having multiple inside subnets with routes. The same-interface-traffic command is supposed to resolve the issue but for me it is not working correctly.


I am having this same issue right now.

atacan2006 Wed, 03/28/2007 - 01:56
User Badges:

Hi, I think I should upgrade PIX firmware. I have 6.4 and that ICMP routing works only higher OS like 7.x


I'll inform you if it works.


Actions

This Discussion