Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix routing to internal networks

Hello

I have a PIX 515E on 6.3(4) version with internal network 192.168.20.1/24. This is connected to switch and workstations on the switch with GW 192.168.20.1

I also have another internet network 172.24.10.x which is connected via the main switch to Cisco 3750. This is as below

Pix (192.168.20.1) - switch (192.168.20.2) - internet

| |

| |

| -----------------------------|

| |

PC (192.168.20.100) Layer 3 switch(172.24.10.1)

A VLAN is created on 3750 with 192.168.20.3 and workstation has 172.24.10.100 with GW 172.24.10.1

I added static routes on my pix and 3750

PIX - route inside 172.24.10.0 255.255.255.0 192.168.20.3

3750 - ip route 192.168.20.0 255.2555.255.0 192.168.20.1

I can ping 192.168.20.3, 172.24.10.1, 172.24.10.100 from the pix unit but not from workstation 192.168.20.100

Can someone suggest on this?

Is this something to do with same-security-inter interface command?

Thank you

11 REPLIES

Re: Pix routing to internal networks

You can ping from the pix:

192.168.20.3 (vlan svi)

172.24.10.1 (other vlan svi)

172.24.10.100 (workstation?)

Is the 192.168.20.100 device a workstation on the pix side?

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Pix routing to internal networks

172.24.10.100 (workstation?)

>> Yes this is a workstation on vlan1 (172.24.10.1) of 3750 switch

Is the 192.168.20.100 device a workstation on the pix side?

>> Correct

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

>> I can only ping the VLAN IP 192.168.20.3 but not other IPs. A trace from this workstation fails very first hop. Same thing when I trace 192.168.20.100 from 3750 with source interface 172.24.10.1

I actually replaced a netgear router with the pix unit and that is when this problem started. I had the same inside routes on the netgear unit and worked fine.

Thank you

New Member

Re: Pix routing to internal networks

Please ignore my previous messages. Here is the updated design attached and I should be able to communicate between 192.168.20.x and 172.24.10.x networks.

Thanks in advance

New Member

Re: Pix routing to internal networks

Attached

Re: Pix routing to internal networks

Can you post the routing table from the 3750 and the PIX?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Pix routing to internal networks

PIX# sh route

outside 0.0.0.0 0.0.0.0 1 OTHER static

outside x.x.x.x 255.255.255.252 1 CONNECT static

inside 172.24.10.0 255.255.255.0 192.168.20.3 1 OTHER static

inside 192.168.20.0 255.255.255.0 192.168.20.1 1 CONNECT static

3750-S1#sh ip route 192.168.20.100

Routing entry for 192.168.20.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 1024

Routing Descriptor Blocks:

* directly connected, via Vlan10

Route metric is 0, traffic share count is 1

3750-S1#sh ip route | i 192.168.20.0

C 192.168.20.0/24 is directly connected, Vlan10

Re: Pix routing to internal networks

What happens if you try to ping the pix from the 3750 while sourcing from your 172.24.10.1 address? Does it fail? If you can ping from the pix to the host on the 172.24.10.100 address, you *should* be able to ping the pix from the same host.

If you trace the packet from the 172.24.10.100 host, where does it fail? Does it get past the 3750?

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Pix routing to internal networks

Sarat

Your topology won't work.

With pix v6.x you cannot route traffic back out of the interface that the traffic entered on eg.

your client 192.168.20.100 has a default-gateway of 192.168.20.1 ie. the pix. So when it tries to ping any destination on 172.24.10.x the traffic is sent to the pix. But the pix cannot then send the traffic back out the same interface it was received on. And that's what the pix needs to do.

Solutions with the pix -

1) If you have a spare interface on the pix use that so the traffic doesn't have to routed back out the same interface

2) Upgrade your pix to v7.x or v8.x. With these versions of code there is a feature called hair-pinning which allows you to route traffic back out of the same interface it was received on.

Note v7.x/8.x code upgrade may well require you to upgrade the memory on your pix.

Jon

Re: Pix routing to internal networks

I learn something every day Jon. I rated you :)

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Pix routing to internal networks

"I learn something every day Jon"

Yep, so do i, keeps things interesting :-)

Thanks for the rating.

Jon

New Member

Re: Pix routing to internal networks

Thanks Jon. I had the same thought and indicated same security command in my first post and you confirmed that with a good explanation.

For some reason I could not upgrade to 7.x. Please find my post on this below.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cd2b6eb

However though not a good solution I could get this working for by adding a static route on 192.168.20.100 pointing to the VLAN IP.

route -p ADD 172.24.10.0 MASK 255.255.255.0 192.168.20.3

But I still want to get this right upgrading to 7.x.

Please advise

289
Views
10
Helpful
11
Replies