Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX Routing

Hello all,

I need your help. I cannot ping or access 2nd local subnet from PIX.

Structure:

PIX ---- Server 2003 ----Subnet1 + Subnet2

PIX

===

ip address outside pppoe setroute

ip address inside 192.168.5.254 255.255.255.0

Server 2003 IP Add1: 5.200

Server 2003 IP Add2: 10.200

From Client PCs I can access, ping internet addresses and other subnets. Working

From PIX I cannot only ping 5.200, cannot ping 10.200

What should I do?

Thanks in advance

PIX Config

==========

access-list 101 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 103 permit icmp any any

icmp permit any outside

icmp permit any inside

ip address outside pppoe setroute

ip address inside 192.168.5.254 255.255.255.0

ip local pool vpnpool 192.168.3.3-192.168.3.20

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 192.168.5.0 255.255.255.0 0 0

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 103 in interface outside

Thanks in advance

Zati

22 REPLIES
Green

Re: Cisco PIX Routing

Are all clients on 192.168.5.0 ?

route inside 192.168.10.0 255.255.255.0

New Member

Re: Cisco PIX Routing

Some clients are on 192.168.5.0 and some are 192.168.10.0.

All clients can reach all the possible networks (also internet) and can ping.

Only from PIX Firewall I cannot ping the network 192.168.10.0.

I have also tried the following:

route inside 192.168.10.0 255.255.255.0

that didn't work.

!!!I wrote by mistake that I cannot ping network 192.168.5.0 from PIX. That works...Sorry!!!

Thanks for your reply.

Green

Re: Cisco PIX Routing

Now I'm confused....could you post a "show route" on the pix?

New Member

Re: Cisco PIX Routing

Here it is:

outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.254 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static

Hall of Fame Super Blue

Re: Cisco PIX Routing

Hi

Your route to the 192.168.10.0 network is pointing to the same gateway as your route to the 192.168.5.0 network.

This is the problem. 192.168.5.254 is the inside interface of your pix. So your routing table says to get to 192.168.10.0 go to the inside interface of the pix which is clearly wrong.

You have 2 subnets in your network

192.168.5.0

192.168.10.0

Do you have a router internally that routes between these subnets. if you do, then you need to do as Adam has suggested and point a route to the 192.168.10.0 network to go via your internal router eg.

say your internal router interface had an ip address of 192.168.5.253. On the pix

route inside 192.168.10.0 255.255.255.0 192.168.5.253

If you don't have an internal router then how are your running two separate subnets internally ?

Hope this makes sense

Jon

New Member

Re: Cisco PIX Routing

Thank u Jon, That makes sense.

I have a Window 2003 Server configured as RRAS.

W2K3 have 2 interfaces:

Interface1 :192.168.5.200/24

Interface2 :192.168.10.200/24

from the Clients I have no problem.

Host 192.168.10.40 can ping 192.168.5.254(router inside)

new sh route:

outside 0.0.0.0 0.0.0.0 (ISP_IP Address) 1 PPPOE static

inside 192.168.5.0 255.255.255.0 192.168.5.254 1 CONNECT static

inside 192.168.10.0 255.255.255.0 192.168.5.200 1 OTHER static

outside (ISP_IP Address) 255.255.255.255 (ISP_IP Address) 1 CONNECT static

Still cannot access or ping 192.168.10.0 network from PIX

(config)# ping 192.168.10.200

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms

192.168.10.200 NO response received -- 1000ms

AqidosPix(config)# ping 192.168.5.200

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

192.168.5.200 response received -- 0ms

Hall of Fame Super Blue

Re: Cisco PIX Routing

Hi

I'm not familiar with RRAS but do you have IP routing functionality turned on on the W2K3 server.

one thing you can try which might help narrow down where the issue is, on the pix

debug packet inside dst 192.168.10.200

debug packet inside src 192.168.10.200

This should show you how far the pings are getting ie. are they just leaving the pix or are you seeing packets coming back.

Can you try pinging a host beyond the 192.168.10.200 interface - ie any other host on the 192.168.10.x subnet.

Jon

New Member

Re: Cisco PIX Routing

I coud not ping a host too, but host can ping router interface.

I think the packets are just leaving

here is the ping info:

-------- PACKET ---------

-- IP --

192.168.5.254 ==> 192.168.10.200

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5201 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd7a8

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d

--------- END OF PACKET ---------

192.168.10.200 NO response received -- 1000ms

--------- PACKET ---------

-- IP --

192.168.5.254 ==> 192.168.10.38

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x5211 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xd83a

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000010: 00 01 02 03 |

....

00000020: 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 | ..

..............

00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 64 | ..

..........d

--------- END OF PACKET ---------

192.168.10.38 NO response received -- 1000ms

Green

Re: Cisco PIX Routing

Routing is obviously working as you can get to the internet from the 10 network. Are you sure these hosts are pingable, can you ping them from the same network?

New Member

Re: Cisco PIX Routing

Yup,

Host are pingable.

Example

HostA can ping HostB on 192.168.10.0 network

Server can ping Hosts on 192.168.10.0 network

Hosts can ping both interfaces of PIX

PIX can ping nur Hosts on 192.168.5.0 network

but cannot ping 192.168.10.0 network including 192.168.10.200(RRAS server)

Also Server can ping both networks.

Network

=======

PIX(5.254)----(5.200)RRAS Server 2003(10.200)----(10.38)HostA----(10.40)HostB

|

HostC(5.10)

Green

Re: Cisco PIX Routing

What is HostC connecting to in your diagram?

New Member

Re: Cisco PIX Routing

just for test purposes...

Hall of Fame Super Blue

Re: Cisco PIX Routing

Hi

Okay this is getting very confusing :-).

Basically a ping from a client on 192.168.10.x will get a reply from the pix inside interface but the if the ping is initiated from the pix it doesn't work.

Do you have type of firewall on your 192.168.10.x clients that could be stopping this. unlikely as the pix can ping the 192.168.5.x addresses.

Only other thing i can think of at the moment is are there any settings in the RRAS configuration that would be stopping this.

What happens when you try and ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network ?

Jon

New Member

Re: Cisco PIX Routing

It's very strange i know.

ping from a client in the 192.168.5.x network to a client in the 192.168.10.x network NOT WORKING!!!

ping from a client in the 192.168.10.x network to a client in the 192.168.5.x network WORKING (also can access resources ie:shared folders on 5.x client)

somehow routing or pinging works one-way

I'll stop all firewall, antivirus activities.

Hall of Fame Super Blue

Re: Cisco PIX Routing

Hi

Yes, very strange. If the clients on both subnets have the same builds/settings i would concentrate on the setup of the RRAS server.

Jon

Green

Re: Cisco PIX Routing

Just curious, what is default gateway for 5 network clients, inside pix or rras server?

New Member

Re: Cisco PIX Routing

Clients have 192.168.5.254 (router inside)

RRAS Server has no Default Gateway for 192.168.10.0 network.

Also for 192.168.5.0 network RRAS Server Default Gateway is 192.168.5.254

Green

Re: Cisco PIX Routing

Why is the default gateway for the router, the router? Why not inside pix?

New Member

Re: Cisco PIX Routing

Sorry acomiskey I didn't understand your question.

for the RRAS Server

Interface1:

===========

IP Address: 192.168.5.200/24

Default Gateway: 192.168.5.254 (IP Address of inside PIX)

Interface2:

===========

IP Address: 192.168.10.200/24

Default Gateway: (No Default Gateway)

Green

Re: Cisco PIX Routing

ok sorry, you referenced 5.254 being router ip address above, not pix.

New Member

Re: Cisco PIX Routing

Any chance you are using Pix/ASA 7.2x OS? There seems to be an issue with having multiple inside subnets with routes. The same-interface-traffic command is supposed to resolve the issue but for me it is not working correctly.

I am having this same issue right now.

New Member

Re: Cisco PIX Routing

Hi, I think I should upgrade PIX firmware. I have 6.4 and that ICMP routing works only higher OS like 7.x

I'll inform you if it works.

180
Views
0
Helpful
22
Replies
CreatePlease login to create content