cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
737
Views
10
Helpful
11
Replies

Pix routing to internal networks

sarat1317
Level 1
Level 1

Hello

I have a PIX 515E on 6.3(4) version with internal network 192.168.20.1/24. This is connected to switch and workstations on the switch with GW 192.168.20.1

I also have another internet network 172.24.10.x which is connected via the main switch to Cisco 3750. This is as below

Pix (192.168.20.1) - switch (192.168.20.2) - internet

| |

| |

| -----------------------------|

| |

PC (192.168.20.100) Layer 3 switch(172.24.10.1)

A VLAN is created on 3750 with 192.168.20.3 and workstation has 172.24.10.100 with GW 172.24.10.1

I added static routes on my pix and 3750

PIX - route inside 172.24.10.0 255.255.255.0 192.168.20.3

3750 - ip route 192.168.20.0 255.2555.255.0 192.168.20.1

I can ping 192.168.20.3, 172.24.10.1, 172.24.10.100 from the pix unit but not from workstation 192.168.20.100

Can someone suggest on this?

Is this something to do with same-security-inter interface command?

Thank you

11 Replies 11

John Blakley
VIP Alumni
VIP Alumni

You can ping from the pix:

192.168.20.3 (vlan svi)

172.24.10.1 (other vlan svi)

172.24.10.100 (workstation?)

Is the 192.168.20.100 device a workstation on the pix side?

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

HTH,

John

HTH, John *** Please rate all useful posts ***

172.24.10.100 (workstation?)

>> Yes this is a workstation on vlan1 (172.24.10.1) of 3750 switch

Is the 192.168.20.100 device a workstation on the pix side?

>> Correct

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

>> I can only ping the VLAN IP 192.168.20.3 but not other IPs. A trace from this workstation fails very first hop. Same thing when I trace 192.168.20.100 from 3750 with source interface 172.24.10.1

I actually replaced a netgear router with the pix unit and that is when this problem started. I had the same inside routes on the netgear unit and worked fine.

Thank you

Please ignore my previous messages. Here is the updated design attached and I should be able to communicate between 192.168.20.x and 172.24.10.x networks.

Thanks in advance

Attached

Can you post the routing table from the 3750 and the PIX?

HTH,

John

HTH, John *** Please rate all useful posts ***

PIX# sh route

outside 0.0.0.0 0.0.0.0 1 OTHER static

outside x.x.x.x 255.255.255.252 1 CONNECT static

inside 172.24.10.0 255.255.255.0 192.168.20.3 1 OTHER static

inside 192.168.20.0 255.255.255.0 192.168.20.1 1 CONNECT static

3750-S1#sh ip route 192.168.20.100

Routing entry for 192.168.20.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 1024

Routing Descriptor Blocks:

* directly connected, via Vlan10

Route metric is 0, traffic share count is 1

3750-S1#sh ip route | i 192.168.20.0

C 192.168.20.0/24 is directly connected, Vlan10

What happens if you try to ping the pix from the 3750 while sourcing from your 172.24.10.1 address? Does it fail? If you can ping from the pix to the host on the 172.24.10.100 address, you *should* be able to ping the pix from the same host.

If you trace the packet from the 172.24.10.100 host, where does it fail? Does it get past the 3750?

John

HTH, John *** Please rate all useful posts ***

Sarat

Your topology won't work.

With pix v6.x you cannot route traffic back out of the interface that the traffic entered on eg.

your client 192.168.20.100 has a default-gateway of 192.168.20.1 ie. the pix. So when it tries to ping any destination on 172.24.10.x the traffic is sent to the pix. But the pix cannot then send the traffic back out the same interface it was received on. And that's what the pix needs to do.

Solutions with the pix -

1) If you have a spare interface on the pix use that so the traffic doesn't have to routed back out the same interface

2) Upgrade your pix to v7.x or v8.x. With these versions of code there is a feature called hair-pinning which allows you to route traffic back out of the same interface it was received on.

Note v7.x/8.x code upgrade may well require you to upgrade the memory on your pix.

Jon

I learn something every day Jon. I rated you :)

John

HTH, John *** Please rate all useful posts ***

"I learn something every day Jon"

Yep, so do i, keeps things interesting :-)

Thanks for the rating.

Jon

Thanks Jon. I had the same thought and indicated same security command in my first post and you confirmed that with a good explanation.

For some reason I could not upgrade to 7.x. Please find my post on this below.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cd2b6eb

However though not a good solution I could get this working for by adding a static route on 192.168.20.100 pointing to the VLAN IP.

route -p ADD 172.24.10.0 MASK 255.255.255.0 192.168.20.3

But I still want to get this right upgrading to 7.x.

Please advise

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: