cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
5
Replies

Routing problem Cisco PIX?

pd.politiet.no
Level 1
Level 1

I have a PIX 515E running 8.0.4.

It's configured with an outside2 interface with security level 4 (here I have an AIX-server, 10.174.253.24/27), and DMZ with security level 10 (here I have a windows-server with 192.168.102.13/24).  Inside inteface of the PIX has 10.174.102.86/24.

From the server in the outside2 net, I can ping the PIX outside2 interface . Nice!

But when pinging from the outside2 AIX-server 10.174.253.24 to the 192.168.102.13, it doesn't work.  The PIX sends the reply packet out on the inside interface, instead og directly back out on the outside2 interface. Why?

The pix has a route that says:

route inside 10.174.0.0 255.255.0.0 10.174.0.1 1

This is in the same range as the outside2 interface, but shouldn't it use the directly connected instead of the routing information?

Br

Geir

1 Accepted Solution

Accepted Solutions

spremkumar
Level 9
Level 9

Hi Geir

I think you can overcome this by creating a subnet (/27) specific route for your AIX servers so that your packets doesn't go back to inside interface.

regds

View solution in original post

5 Replies 5

spremkumar
Level 9
Level 9

Hi Geir

I think you can overcome this by creating a subnet (/27) specific route for your AIX servers so that your packets doesn't go back to inside interface.

regds

Sorry, checked it was correct, but it isn't.

The problem is that the ouside interface is local to the PIX, as for the DMZ-interface.

I ping from a AIX server sitting on the outside interface, to a windows server in the dmz interface.  The request goes to the windows server, which then replies.  But the return reply is by the pix sent out on the inside interface.

The only thing I can say is thath the pic has an route to the inside, 10.174.0.0/16, and that the subnet of the outside interface of the pix is 10.174.253.0/27.  So a spesific route cannot be entered.

Any ideas?

Br

Geir

Yes, you can add the following route:

route outside2 10.174.253.0 255.255.255.224

Hope that helps.

Next hop is directly connected to the outside2 interface.

When adding the route I get:

ERROR: Cannot add route, connected route exists

Therefore I cannot do this.

It must be something with the route to inside with the 10.174.0.0/16 route statement.

Geir

If it's directly connected subnet to the outside2 interface, then it should take precedence over the static route towards the inside.

Assuming that you have NAT exemption configured on your DMZ interface? Something like this:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 10.174.253.0 255.255.255.224

nat (dmz) 0 access-list dmz-nonat

"clear xlate" if you haven't had the above configured after the changes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: