06-17-2009 02:16 PM - edited 03-11-2019 08:45 AM
Hello,
first time, sorry for my english.
so i explain my problem.
i have An ipsec vpn with 2 pix 515 and a router on 1 of this site.
lan_a-->Pix_a--ISP--Pix_b<--Lan_b<--router<--Lan_b2
traffic for lan_a and lan_b, no problem.
traffic for lan_b and lan_b2, no problem
but traffic lan_b2 and lan_a don't work,
i have a route inside in my pix_b.
but i have a stange comportement, because ping was work,
but other traffic don't work, example, when i want telnet on port 25 in lan_a since lan_b2, i have an error in pix_b log
anyone can help me ?
tahnks
06-17-2009 02:26 PM
hello
more detail
in pix log, i have an error
110001 no route to x.x.x.x from y.y.y.
x was in lan_b2
y was in lan_a
thanks
06-17-2009 02:36 PM
Which pix is this error message showing up on, is it pixb ?
If so can you
1) post output of "sh route" from pixb
AND
2) specify the IP subnet of lan_b2
Jon
06-17-2009 09:50 PM
Hello jon
Thanks for your reply.
yes, error message on pixb
see sh route on pixb
pixb# sh route
outside 0.0.0.0 0.0.0.0 217.108.xx.xx 1 OTHER static
DMZ 10.10.10.0 255.255.255.0 10.10.10.254 1 CONNECT static
inside 10.10.30.0 255.255.255.0 172.22.56.1 1 OTHER static
inside 172.22.56.0 255.255.255.0 172.22.56.8 1 CONNECT static
outside 217.108.xx.xx 255.255.255.240 217.108.xx.xx 1 CONNECT static
pixb#
subnet of lanb_2 as 10.10.30.0/24
subnet of lanb as 172.22.56.0/24
subnet of lana (remote vpn) as 172.22.57.0/24
error message as :
no route to 10.10.10.38 from 172.22.57.16
thanks
fred
06-19-2009 03:41 AM
Hello,
Someone help me, please.
Thanks
Frederic
06-19-2009 03:49 AM
Fred
Apologies for the delay in getting back to you.
Could you just clarify ie.
from your routing table -
inside 10.10.30.0 255.255.255.0 172.22.56.1 1 OTHER static
error message -
no route to 10.10.10.38 from 172.22.57.16
which is the correct subnet ie.
your route is for 10.10.30.x but the error message is about 10.10.10.x ?
Jon
06-19-2009 03:59 AM
Jon,
Oups, sorry, that an error when i write this post.
the real error message as :
no route to 10.10.30.38 from 172.22.57.16
sorry,
thanks
Frederic
06-19-2009 04:02 AM
Fred
which device is 172.22.57.16 ?
Can you post configs of both firewalls ?
Jon
06-19-2009 04:45 AM
Hello
172.22.57.16 as a mail server
in attachement :
Config of firewall pix a
Config of firewall pix b
Config of router b
in same file
"Conf Pix A, Pix B, Router B .txt"
and Network map
i have delete all information you don't need in config (password, IP public, etc..)
Many thanks for your help.
Frederic
06-22-2009 12:00 AM
Hello Jon,
As you can see my problem ?
Thanks,
Frederic
06-22-2009 03:46 AM
Frederic
From pix b can you ping 10.10.30.38 ?
Jon
06-22-2009 03:58 AM
Jon,
Yes i can.
Pix_b# ping 10.10.30.38
10.10.30.38 response received -- 0ms
10.10.30.38 response received -- 0ms
10.10.30.38 response received -- 0ms
Pix_b#
and since pix_a too (that strange)
Pix_a# ping inside 10.10.30.38
10.10.30.38 response received -- 40ms
10.10.30.38 response received -- 30ms
10.10.30.38 response received -- 40ms
Pix_a#
but when i want make an telnet (for example) since 10.10.30.38 to 172.22.57.xx (Lan_a), don't work
i don't understand, because there are no acl was block this traffic, and ip route are ok
Frederic
06-22-2009 04:06 AM
Frederic
Could you clarify. Are you trying to telnet to 172.22.57.x from 10.10.30.38 ?
If so there may be an issue with your config on pix b. You have this applied to your inside interface on pix b -
access-list inside_access_in permit ip 172.22.56.0 255.255.255.0 any
access-list inside_access_in permit ip 172.22.56.0 255.255.255.0 any
is this a typo as you have the same line twice. You will need the following line in that acl as well
access-list inside_access_in permit ip 10.10.30.0 255.255.255.0 any
Jon
06-22-2009 04:16 AM
Jon,
exactly, i try telnet 172.22.57.16 (it's a mail server) from 10.10.30.38
yes, is a typo.
my real acl as :
access-list inside_access_in permit ip All-Lan 255.255.255.0 any
object-group network All-Lan
network-object 172.22.56.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
Frederic
06-22-2009 04:32 AM
Frederic
Can you run some tests -
1) From mail server 172.22.57.16 can you ping 10.10.30.38 ?
2) From 10.10.30.38 can you ping 172.22.57.16 ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: