Routing Problem

Anand Narayana · ‎06-20-2007

Hi,

i hav got Cisco PIX, one of the interface ip address on the pix is 172.16.0.254, this pix is connected to the core switch which is 3COM switch layer 3, it has got 2 ip address 172.16.0.100 & 192.168.200.1. default gateway ip address to this 3COM switch is 172.16.0.254

i had given route to reach 192.168.200.0/24 via 172.16.0.100, with this PIX could able to ping 192.168.200.1, which is nothing but the ip address of 3COM switch.

route inside 192.168.200.0 255.255.255.0 172.16.0.100

------------------------------------------

my PC ip address is 172.16.0.82, gateway is 172.16.0.254, with this i can't ping 192.168.200.1, where as if i set my gateway ip address as 172.16.0.100, i could able to ping, no access-list nothing configured on 3COM as well as on Cisco PIX for 172.16.0.0 & 192.168.200.0 network.

my question is, if PIX could able to reach 192.168.200.1, then why not my PC which is having the PIX ip address as gateway couldn't reach?

This is the log i get in the PIX

Jun 21 11:13:25 172.16.0.254 %PIX-3-106011: Deny inbound (No xlate) icmp src inside:172.16.0.82 dst inside:192.168.200.1 (type 8, code 0)

smothuku · ‎06-21-2007

Hi Anand ,

meaning of error is ,

. %PIX-3-106011: Deny inbound (No xlate) string

The message will appear under normal traffic conditions if there are internal users that are accessing the Internet via a web browser. Anytime a connection is reset, when the host at the end of the connection sends a packet after the firewall receives the reset, this message will appear. It can typically be ignored.

Recommended Action: Disable this syslog message from getting logged to the syslog server by entering the no logging message 106011 command.

Related documents- No specific documents apply to this error message.

Thanks,

Satish

Anand Narayana · ‎06-21-2007

Hi Satish,

you have just copied & pasted the log message what ever was on the Cisco - Output Interpreter, well even i know that & i have checked the same, but i am looking for a solution. you have just posted the last line, i am looking for the solution which was listed on top of last lines.

amohabir1 · ‎06-21-2007

Your default gateway should be the ip address on the vlan of the switch.

Why did you make it the default gateway of the firewall??

Did you have a default route of

0.0.0.0 0.0.0.0 172.16.0.254 on the layer 3 switch?

Anand Narayana · ‎06-21-2007

well my defualt gateway to the switch is PIX ip address only ( 172.16.0.254) any how i got the answer posted by a gentle men "leighharrison" & hatez of to him.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddedf0d

deveshkumar · ‎06-22-2007

Hi anand,

First of all any traffic in Pix iwll be allowed only if translation rules are specified irrespective ot ACL's. that means if you intend to make communication happen between two networks thru pix without performing NAT still you need to specify translation rules which will be identity nat (no nat)

Second by default icmp allowed only on inside interface ( exception PIX will be able to do ping to all conencted network)

try this solution and then let me know with your complete topology with VLAN etc.

access-list nonat permit ip

nat (inside) 0 nonat

then check again and capture log message.

If you give me complete knowledge of as said above i'll be able to solve the issue. you can send me diag on deveshkumar.sharma@gmail.com