We have been assigned a new range of ips 213.x.x.x/28 from our ISP. They are being routed via our existing gateway 92.x.x.146.
We can't get any traffic to this pix on the new range 213.x.x.x/28.
- If we try to ping 213.x.x.61 we get Time to live exceeded.
- ISP gets the same from their router.
- ISP tries ssh and gets No route to host.
The ISP has checked and double checked the routing and the MAC address of our outside interface. They are correct.
The strange thing is we can't see ANY log messages relating to the new range for inbound connection attempts. The Pix is running at log level 7.
Does anyone have any idea what the problem might be? or any suggestions for debugging the issue?
Standalone Pix 515 running 7.0(7)
outside 92.x.x.146 255.255.255.240
inside 192.168.101.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
access-group acl_out in interface outside
access-list acl_out extended permit tcp any host 213.x.x.x eq www
access-list acl_out extended permit tcp any host 213.x.x.x eq ssh
static (inside,outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
icmp permit any unreachable
192.168.101.99 is a linux test server with http and ssh
Any help much appreciated.
I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0ISP says
...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32
Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
If the routers are owned by your ISP then the fault lies with them. They have a routing loop in their network and that is why the packets are not getting to your firewall. Have you shown them the traceroute ?
They need to look at the .81 and .82 routers to work out why packets are looping between these 2 routers. Until they fix this packets will never get to your firewall.