Re: Routing table supernet is incorrect - Page 2

Darren Sasso · ‎11-09-2010

Has anyone seen this before. The supernet shows up as a /24 and the new vlan 2 doesn't have a subnet assigned to it.

4506#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.128.66.0 is directly connected, Vlan2
C    192.168.1.0/24 is directly connected, Vlan1
C    192.168.3.0/24 is directly connected, Vlan10

We are running this on an old supervisor. It may be an IOS bug issue but i'm not sure.

Thanks in advance.

Federico Coto Fajardo · ‎11-09-2010

You can PING because the PIX has the route:

inside 10.128.66.0 255.255.255.0 192.168.1.6 1 OTHER static

Where 192.168.1.6 is the 4500 correct?

Which is the source IP that you're coming from? And to which interface on the PIX is connected (inside/outside)?

Federico.

Darren Sasso · ‎11-09-2010

Yes i can ping...the source address is 10.128.66.50 inside interface of the pix.

Federico Coto Fajardo · ‎11-09-2010

Now I'm confused as well with the topology :-)

Could you please include a simple drawing or explanation to check the path of the packets that we're interested in?

Federico.

Darren Sasso · ‎11-09-2010

the 4506 is on the 10.128.66.50 side....and the no route has come from the left firewall

110001: No route to 10.128.66.50 from 172.19.1.208

Thanks.

Jon Marshall · ‎11-09-2010

Can you humour me and add this to the config on the left firewall -

static (inside,outside) 10.128.66.50 10.128.66.50 netmask 255.255.255.255

and then try again.

Jon

Darren Sasso · ‎11-09-2010

I tried that but it didn't work. The weird thing is i'm able to access the same site on port 443. All of my rules are ip based meaning i'm not limiting by port i just keep getting this 'no route' error.

No route to 10.128.66.50 from 172.19.1.208

10.128.66.50 is local

172.19.1.208 is a remote server

Thanks.

Richard Burts · ‎11-09-2010

Darren

Several times you have referred to 10.128.66.50 is local. But the switch config that you posted shows it as a subnet connected to the switch. And the route information from the PIX showed it as a routed subnet and not as a local subnet. Perhaps you can clarify where that address and the machine that has the address are located in the network?

HTH

Rick

HTH

Rick

Darren Sasso · ‎11-09-2010

Rick,

Sorry for being vague, but when i say local i mean a system that sits off of the inside interface of the firewall and is the initiator of the traffic. The pix connects to the local 4560 switch and the 10.128.66.50 is directly connected to vlan 2 on that switch.

I'm able to ping 10.128.66.50 from the firewall too..just an FYI.

Thanks.