Internet--PIX--(location1)--800-800-(location2)

Unanswered Question
May 4th, 2007

Have the following problem after inserting a PIX: location1 cant reach location2, and location2 cant reach the internet. RIP is default and passive. The config worked when a Win2003 did the route. A trace to location2 shows in the PIX log as missing route, however the route table exists.

Any clues?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
workorderps Mon, 05/07/2007 - 13:50

hmmm, no replies...

The Pix501 has a routing table to the networks, via RIP - but when doing a traceroute from a client the log says "no route to host". It's if there is no one home.

Have I locked the inside interface down too hard, or does this work just as the vpn-tunnels - where you explicitly have to allow traffic to loopback to the next hop?

Jon Marshall Mon, 05/07/2007 - 23:21

Hi

Is the pix the default route for your client PC's then ?. So if a pc in location 1 wants to get to location 2 then the traffic first goes to the pix ?

What version of pixos are your running and what is the hardware version of your pix.

Jon

workorderps Tue, 05/08/2007 - 07:17

Yes it's the default route. And, yes the cliens should receive local RIP from the PIX so traffic is going the right direction.

Version of PIX is following:

CISCO SYSTEMS PIX-501

Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08

Compiled by morlee

16 MB RAM

PCI Device Table.

Bus Dev Func VendID DevID Class Irq

00 00 00 1022 3000 Host Bridge

00 11 00 8086 1209 Ethernet 9

00 12 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001

Platform PIX-501

Flash=E28F640J3 @ 0x3000000

Jon Marshall Tue, 05/08/2007 - 10:22

Hi

Just one more question to clarify. You say that the clients should receive local RIP from pix. What do you mean by this. Do the clients have routes to location 2 or when they want to talk to location 2 does traffic go via pix (which is what your first post seems to suggest).

If traffic has to go via the pix then it loosk like it won't work from your topology as the traffic would have to go in and come out out on the same interface. You can't do this with pix v6.x. You can do this with v7.0 but unfortunately pix 501 will not run v7.0.

Can you clarify about the questions.

Jon

workorderps Tue, 05/08/2007 - 10:45

Does the traffic actually do a loopback ?? As I said we replaced a Windows 2003 server that had routing enabled. I don't know if the clients got the routes added or if the traffic went in and out at the same interface then.

I do however have an ASA 5505 in stock - are you saying this one would work better?

Jon Marshall Tue, 05/08/2007 - 12:49

Hi

It depends on what routes are on your clients. Assuming your clients are running windows bring up a cmd prompt and type

"netstat -nr"

This shows you the routing table. Do your clients have a route to location 2 or do they just have a default route pointing to the pix ?

An ASA would allow traffic in and out of the same interface - it's called "hairpinning".

HTH

Jon

Actions

This Discussion