Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
4
Replies

routing blunders

Go to solution
matthew.bauer
Level 1
Level 1

‎11-08-2003 04:24 PM - edited ‎03-09-2019 05:27 AM

hey all,

I am at a lost. got a 501 out of the box 6.3.3. assign it an public ip address XXX.XX.XX.13 and its private ip 10.1.25.254

the public interface is connected to a 2600, eth0 ip address is one of my public ip addresses XXX.XX.XX.254 and se0 is 172.XX.XXX.157, which is provided by my ISP. On the inside I have a Cat4006, IP 10.1.254.254. Here is where I get confused. Before I got the 501 i could tracert ip address on se0 (icmp was enabled). From the 501 I can ping et0 of the 2600, but I can't get any traffic to go outside. I tried http, dns, ftp. I have left ACL's as is, which to my understanding is all traffic outbound is allowed.

before I started I tracert some ip address and could follow to se0

now when I tracert it stops at the cat4006, it timesout there.

I am getting confused on my routing statements

on the cat4006 i define an "ip route 0.0.0.0 0.0.0.0 10.1.25.254" so that all packets no for my network to go to the private ip of the pix. (is that correct)

I then tried to set a route in the pix for the inside interface to route 0.0.0.0 0.0.0.0 to XXX.XX.XX.254 (is that right) I don't think that it is. I can't figure out how the routing should be accomplised. Do I route the outside interface to XXX.XX.XX.254? Right now I am trying this on a 501, but In a couple of weeks I plan to use a 515e

any help would be appreciated

S.O.S.

Thanks

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkhawaja
Cisco Employee
Cisco Employee
In response to matthew.bauer

‎11-09-2003 11:45 AM

Hi,

Your default route from CAT swich is correct, that is pointing to PIX's private IP. But on the PIX there is no default route. you need a statement like

route outside 0 0 xxx.xxx.xxxx.254 (the ip of your router)

Ping or traceroute may not work, unless you allow them in from outside using access-list. but other statefull protocols e.g http/telnet should work.

Thanks

Nadeem

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bfl1
Level 1
Level 1

‎11-08-2003 05:38 PM

can you post your config?

0 Helpful

Go to solution
matthew.bauer
Level 1
Level 1
In response to bfl1

‎11-09-2003 06:34 AM

: Saved

: Written by enable_15 at 12:13:06.330 EST Fri Nov 7 2003

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XX encrypted

passwd XX encrypted

hostname XX

domain-name XX

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging on

logging trap alerts

logging host inside 10.1.254.15

mtu outside 1500

mtu inside 1500

ip address outside XXX.XX.XX.13 255.255.255.0

ip address inside 10.1.25.254 255.255.0.0

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

pdm location 10.1.20.1 255.255.255.255 inside

pdm location 10.1.20.2 255.255.255.255 inside

pdm location 10.2.0.0 255.255.0.0 inside

pdm location 10.1.254.15 255.255.255.255 inside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.20.2 255.255.255.255 inside

http 10.1.20.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.1.20.2 pix

floodguard enable

telnet 10.1.20.2 255.255.255.255 inside

telnet 10.1.20.1 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:XX

: end

0 Helpful

Go to solution
nkhawaja
Cisco Employee
Cisco Employee
In response to matthew.bauer

‎11-09-2003 11:45 AM

Hi,

Your default route from CAT swich is correct, that is pointing to PIX's private IP. But on the PIX there is no default route. you need a statement like

route outside 0 0 xxx.xxx.xxxx.254 (the ip of your router)

Ping or traceroute may not work, unless you allow them in from outside using access-list. but other statefull protocols e.g http/telnet should work.

Thanks

Nadeem

0 Helpful

Go to solution
matthew.bauer
Level 1
Level 1
In response to nkhawaja

‎11-09-2003 05:38 PM

thanks

that was it

matt

0 Helpful
Customers Also Viewed These Support Documents