Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hosts on internal subnets can't access internet without proxy

I have the following net config...

DMZ 192.168.50.0

|

|

Internet<-PIX515<--192.168.0.0---2600#1<--WAN 192.168.254.254--2600#2<--192.168.3.0

Hosts on 192.168.3.0 configured with a gateway of 192.168.3.1 (2600#2 local int) can't connect directly to the internet without the aid of a proxy on the 192.168.0.0 network. Likewise, they (192.168.3.0 hosts) cannot connect the the DMZ, packets are dropped.

I'm assuming that this is because of the PIX principle of a packet not exiting the same interface it entered, however, I wanted to verify there wasn't a workaround, such as setting the default gateway of 2600#2 to the inside interface of 2600#1 (192.168.0.254). Currently it's set to 192.168.254.1, WAN side of 2600#1.

I have included the 192.168.3.0 and 192.168.254.0 as part of the NAT statements so I'm not quite sure what else it could be. 2600#1's default gw is 192.168.0.1 (PIX inside), and the default gw of 2600#2 is 192.168.254.1 (WAN side of 2600#1). Hosts on 192.168.3.0 default gw is 192.168.3.1.

5 REPLIES
New Member

Re: Hosts on internal subnets can't access internet without prox

Hi

What does the routing table look like on the pix?

Rgds

Kev

New Member

Re: Hosts on internal subnets can't access internet without prox

Here's the PIX routing table...

outside 0.0.0.0 0.0.0.0 [Access router IP] 1 OTHER static

outside [External subnet from ISP] 1 CONNECT static

inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static

service 192.168.50.0 255.255.255.0 192.168.50.1 1 CONNECT static

New Member

Re: Hosts on internal subnets can't access internet without prox

Try adding a route to the 192.168.3.0 network via 2600#1's 192.168.0.0 interface ip address,i.e.

route inside 192.168.3.0 255.255.255.0 192.168.0.whatever

Rgds

Kev

New Member

Re: Hosts on internal subnets can't access internet without prox

Yep, that did it. Thanks for clearing the cobwebs. As soon as I saw your response I kicked myself.

I added the static routes for the other subnets however the hosts on the 192.168.3.0 network still cannot connect to our web server on the DMZ without help from the proxy. I even added entries to the host's routing table's for their respective remote networks and it still doesn't work. Odd?

Re: Hosts on internal subnets can't access internet without prox

check to see if the 2600 has 'ip classless' configured. This is the default after 12.0 code but maybe 'no ip classless' is in there. With the addressing you're using this would effect people getting to the internet (or other networks then the 192.168.x.x networks you use).

Also when you say the 2600's default gw, are you using the 'ip default-gateway' command or is the next-hop on the end of a all 0's static route (ip route 0.0.0.0 0.0.0.0 x.x.x.x) ? it has to be a static route. The default-gateway option is used when ip routing is disabled on the router and during router bootup before IOS is loaded.

317
Views
0
Helpful
5
Replies