Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

route inside statement

What does the 2nd statement means?

ip route 0.0.0.0 0.0.0.0 192.168.229.1

route inside 10.242.26.0 255.255.255.0 192.168.116.1 1

I know the first one tell the router to send all traffic destined to the internet to send it via 192.168.229.1, but the 2nd I have no clue

1 ACCEPTED SOLUTION

Accepted Solutions

Re: route inside statement

If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.

HTH

Sundar

29 REPLIES
Hall of Fame Super Blue

Re: route inside statement

Hi

Is the second statement from a Pix/ASA firewall ?.

When you specify a route on the pix you tell it which interface to go out of as well as the destination network and next hop. So the above says

to get to network 10.242.26.0 go to 192.168.116.1. 192.168.116.1 is presumably a router ?

Jon

New Member

Re: route inside statement

Jon, you assume well. I had forgotten to mention that this was indeed from a PIX, 7.2

So where does this apply to? I mean, does it apply to traffic coming from the inside? If an inside host sends traffic to a host on the 10.242.26.0 network, is the PIX going to send the traffic back to the inside interface and to the network?

Im a bit confused on that

Re: route inside statement

It's not just inside interface rather any interface. PIX would route traffic destined to 10.242.26.0/24, doesn't matter which interface traffic arrived on, via inside interface to the next hop address of 192.168.116.1. The word inside in the route statement only tells the PIX the next hop is reachable via inside interface.

HTH

Sundar

Silver

Re: route inside statement

but why we must tell the PIX about the physical interface? normally it can detect the physical interface by itself using ip routes from connected networks?

does this mean the next hop can be in a not directly connected network?

Hall of Fame Super Blue

Re: route inside statement

Sundar

Long time no see. Glad to have you back.

Jon

Re: route inside statement

Jon,

Thanks buddy :-)

It got somewhat busy at work and I have also been putting in any spare time towards security lab preparation. Believe me it was quite hard to stay away from Netpro all this time.

I see you have been very active and providing great responses to fellow Netpros' queries. How's your lab preparation coming along?

Regards,

Sundar

Hall of Fame Super Blue

Re: route inside statement

Sundar

Well to be honest not brilliantly. I'm having to do a crash course in all things MPLS at the moment as we are potentially looking to deploy our own MPLS network so i need to get up to speed.

Trouble is i find MPLS very interesting so now i'm wondering if i should be looking at CCIE SP rather than R&S. And that just about sums me up really - i'll be retired before i finally decide which CCIE to take :-)

Hope you find the time to stick around now that your'e back.

Jon

New Member

Re: route inside statement

I see. So in the statement "route inside 10.242.26.0 255.255.255.0 192.168.116.1 1", the word INSIDE is only there to tell the PIX that the next-hop IP address of 192.168.116.1 is located or perhaps can be reached via the Inside network... got it... great input Sundar.

Can this apply to remote client connections as well? obviously, they come in via the outside interface and they form the tunnel and can reach the inside network. So what if they want to reach the 10.242.26.0/24, will the PIX tell them to get there via 192.168.116.1? the cisco vpn client remote access setup in this PIX is currently set for split-tunnel

thanks in advance

Re: route inside statement

If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.

HTH

Sundar

New Member

Re: route inside statement

great.... Now I'm getting it. Sundar thank you for all the lecture and please excuse my simple and silly questions. I always want to be 300% sure before working and applying it to the real production environments

I will now apply these statements to the cisco vpn client remote access.

apie

Hall of Fame Super Blue

Re: route inside statement

Hi

Sundar has explained this perfectly. Only thing i would add is that before v7.x traffic could not be routed back out the interface it was received on. So let says you have an outside, dmz, and inside with the route in your example.

Traffic arrives from the outside destined for 10.242.26.x and is routed to 192.168.116.1 through the inside interface.

Same for dmz traffic destined for 10.242.26.x.

But if traffic arrives on the inside interface destined for 10.242.26.x then the pix needs to send that back out the inside

interface to 192.168.116.1.

Prior to version 7.x a pix could not do this. Now it can and with 7.2 it can do it with unencrypted traffic. It is a feature called hairpinning.

Jon

New Member

Re: route inside statement

Hi Jon,

I'm having a problem with a Tunnel between a PIX-515E 6.3.4 and a PIX-525 7.2 and I think it might have to do with what you explained here.

Traffic comes from the PIX-525 (10.121.10.0) trying to reach the PIX-515E (192.168.30.0) but it can't be reached.

There is a L3 switch behind the PIX-515E where the 192.168.30.0 network resides.

There are 3 route statements in this 515E:

route inside 192.168.10.0 255.255.255.0 192.168.106.250 1

route inside 192.168.20.0 255.255.255.0 192.168.106.250 1

route inside 192.168.30.0 255.255.255.0 192.168.106.250 1

Based on this, will the traffic coming from the 525 network (10.121.10.0) be considered as trying to come out via the same interface where it came in from?

I can't get this tunnel up and I might be thinking that the 6.3 software version might have something to do with this.

thanks in advanced

Hall of Fame Super Blue

Re: route inside statement

From what you have described no i don't think that is the issue. The traffic from the 525 should come down the tunnel through the outside interface of the 515E and then get routed out the inside to next hop 192.168.106.250. Return traffic will go back via the inside interface and down the tunnel.

This is fine and normal traffic flow. So i think it is something else.

Does the L3 switch know to route the 10.121.10.0 network back to the pix inside interface ?

Jon

New Member

Re: route inside statement

Then I have no clue why the tunnel will not come up :(

The IP address of the inside interface of the 515E is 192.168.106.100.

This inside interface connects to the L3 switch. In this switch, there are the following route statements:

ip route 0.0.0.0 0.0.0.0 192.168.106.100

ip route 10.121.10.0 255.255.255.0 192.168.106.100

ip route 10.10.161.0 255.255.255.0 192.168.106.246

...

...

So I assume these lines are telling the L3 switch where to send traffic destined for the 10.121.10.0 network.

I have the same setup at the other end of the tunnel (the 525 PIX side)

Hall of Fame Super Blue

Re: route inside statement

Is it the tunnel that is not coming up, or is the tunnel coming up and you cannot get any packets to pass.

Have you tried debugging on the Pix 515E ie.

debug crypto isakmp

debug crpyto ipsec

and then try connecting from the remote end.

Jon

New Member

Re: route inside statement

can I issue these debug statements safely in this 515E? reason I ask is because this pix is the door to more than 700 users currently connecting to services behind the L3 switch.

Will this degrade the performance of the PIX and perhaps cause it to freeze up?

Re: route inside statement

Angel,

Here's a PIX-to-PIX VPN tunnel example. Change the variables according to your setup.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Let us know if you continue to experience problems. If you can post a sanitized copy of both PIX configuration it would help us identify the issue quickly.

HTH

Sundar

New Member

Re: route inside statement

Downloading and printing the document right now.

Both config are very long and to sanitize them will take even longer.

I will try however.

Hall of Fame Super Blue

Re: route inside statement

I wouldn't run the debugging in production hours if you can help. All debugging puts an extra load on the CPU.

If you do a

"sh crypto isa sa" on the pix 515E do you see the remote peer address and what is the state.

If you see the remote peer address and state is QM_IDLE can you run

"sh run crypto ipsec sa" and see if you can find the entry for the VPN.

Jon

New Member

Re: route inside statement

"sh crypto isa sa" displays this:

64.21.75.165 63.123.69.140 QM_IDLE 0 1

64. is the Ip address of the 515E

"sh run crypto ipsec sa" only displays the entire running config, as if I did a "sh run"

Hall of Fame Super Blue

Re: route inside statement

sh crypto ipsec sa NOT

sh run crypto ipsec sa

New Member

Re: route inside statement

I just did them again and same results. The "sh run crypto ipsec sa" only lists the running config.

So, what does the QM_IDLE means?

Is this tunnel and only not passing traffic? Or is the tunnel completely down?

Hall of Fame Super Blue

Re: route inside statement

QM_IDLE means IKE Phase 1 has been setup. So basically the peer IP addresses and the secret key agree.

If this is the pix 515E you are entering the commands

the command is not

sh run crypto ipsec sa

it is

sh crypto ipsec sa NOTE - there is no "run" in the command

Jon

New Member

Re: route inside statement

I just issued a "sh crypto isa sa" in the 525 and these are the results:

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 68.195.218.131

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 63.123.69.140

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

I think it is looking good right?

New Member

Re: route inside statement

I see. I knew everything else was right, so it is just something else... but I can't figure out what.

I just did a "sh crypto ipsec sa" and here are the results:

MDS-PIX-01# sh crypto ipsec sa

interface: outside

Crypto map tag: VPNTunnel, local addr. 63.123.69.140

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.131.10.0/255.255.255.0/0/0)

current_peer: 64.21.75.165:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 162, #pkts encrypt: 162, #pkts digest 162

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 63.123.69.140, remote crypto endpt.: 64.21.75.165

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 74d8f047

inbound esp sas:

spi: 0x3c2e6154(1009672532)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 41, crypto map: VPNTunnel

sa timing: remaining key lifetime (k/sec): (4608000/28546)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x74d8f047(1960374343)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 42, crypto map: VPNTunnel

sa timing: remaining key lifetime (k/sec): (4607990/28537)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)

Hall of Fame Super Blue

Re: route inside statement

Which pix is this taken from.

It looks like you have established a VPN tunnel and packets are being sent out but no packets are returning.

Jon

New Member

Re: route inside statement

from the 515E

How do I know which side is the one not returning the traffic?

Hall of Fame Super Blue

Re: route inside statement

Which side is initiating the connection. If this is the Pix 515E it looks like it is sending traffic out but not receiving any back.

New Member

Re: route inside statement

The 525 is the initiator according to the results of "sh crypto isa sa" command I entered in the 525

327
Views
15
Helpful
29
Replies
CreatePlease to create content