Routing problem Cisco PIX?

Answered Question
May 12th, 2010
User Badges:

I have a PIX 515E running 8.0.4.

It's configured with an outside2 interface with security level 4 (here I have an AIX-server, 10.174.253.24/27), and DMZ with security level 10 (here I have a windows-server with 192.168.102.13/24).  Inside inteface of the PIX has 10.174.102.86/24.


From the server in the outside2 net, I can ping the PIX outside2 interface . Nice!

But when pinging from the outside2 AIX-server 10.174.253.24 to the 192.168.102.13, it doesn't work.  The PIX sends the reply packet out on the inside interface, instead og directly back out on the outside2 interface. Why?

The pix has a route that says:

route inside 10.174.0.0 255.255.0.0 10.174.0.1 1


This is in the same range as the outside2 interface, but shouldn't it use the directly connected instead of the routing information?

Br

Geir

Correct Answer by spremkumar about 7 years 2 weeks ago

Hi Geir


I think you can overcome this by creating a subnet (/27) specific route for your AIX servers so that your packets doesn't go back to inside interface.


regds

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
spremkumar Wed, 05/12/2010 - 05:48
User Badges:
  • Red, 2250 points or more

Hi Geir


I think you can overcome this by creating a subnet (/27) specific route for your AIX servers so that your packets doesn't go back to inside interface.


regds

pd.politiet.no Fri, 05/14/2010 - 02:21
User Badges:

Sorry, checked it was correct, but it isn't.


The problem is that the ouside interface is local to the PIX, as for the DMZ-interface.


I ping from a AIX server sitting on the outside interface, to a windows server in the dmz interface.  The request goes to the windows server, which then replies.  But the return reply is by the pix sent out on the inside interface.

The only thing I can say is thath the pic has an route to the inside, 10.174.0.0/16, and that the subnet of the outside interface of the pix is 10.174.253.0/27.  So a spesific route cannot be entered.


Any ideas?


Br

Geir

Jennifer Halim Fri, 05/14/2010 - 02:29
User Badges:
  • Cisco Employee,

Yes, you can add the following route:


route outside2 10.174.253.0 255.255.255.224


Hope that helps.

pd.politiet.no Fri, 05/14/2010 - 03:18
User Badges:

Next hop is directly connected to the outside2 interface.

When adding the route I get:

ERROR: Cannot add route, connected route exists


Therefore I cannot do this.


It must be something with the route to inside with the 10.174.0.0/16 route statement.


Geir

Jennifer Halim Fri, 05/14/2010 - 03:47
User Badges:
  • Cisco Employee,

If it's directly connected subnet to the outside2 interface, then it should take precedence over the static route towards the inside.


Assuming that you have NAT exemption configured on your DMZ interface? Something like this:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 10.174.253.0 255.255.255.224

nat (dmz) 0 access-list dmz-nonat


"clear xlate" if you haven't had the above configured after the changes.

Actions

This Discussion