Solved

Routing Issue - Cisco

Posted on 2009-04-08
19
284 Views
Last Modified: 2012-05-06
I have a situation where in one of my offices I have a Cisco 1751 and a Cisco Pix. The Pix has internet access and the 1751 is a T1.  There is a strange situation where I need to send traffic destined for one host through the pix.

The 1751 (10.75.2.1) is the gateway in the subnet.  Under normal instances all traffic goes through this 1751 box. There is a tracker that sends traffic through an IPSEC tunnel on the Pix if the T1 is down. This part all works fine I am just telling you this so you have some context.

The pix is 10.75.2.2 - I can log into that pix and ping my address I am trying to create a route for no problem (lets say 1.1.1.1). I have defined in the 1751 a route which looks like this.

IP ROUTE 1.1.1.1 255.255.255.255 10.75.2.2

And there are two additional routes in this 1751 router...
IP ROUTE 0.0.0.0 0.0.0.0 2.2.2.2 track 10 (this is the tracker we are using and means default is to go over the T1)
IP ROUTE 0.0.0.0 0.0.0.0 10.75.2.2 200 (this is the secondary route to send traffic to the PIX if the T1 is down)

My question is this... I cannot seem to get the pix to show up when I do a traceroute in the 1751 to this 1.1.1.1 address - and I cannot ping 1.1.1.1 either.  If I take the route off that sends teh traffic to 10.75.2.2 then the ping works but this sends the traffic through my default gateway. I cannot understand why if the pix can ping 1.1.1.1 any my 1751 gateway has a route to get to 1.1.1.1 it needs to go to the pix - that my 1751 cannot ping the 1.1.1.1 address...

HELP!
0
Comment
Question by:NTGuru705
  • 9
  • 8
  • 2
19 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 24098755
Can you post configs of the PIX and the router please? Remove any passwords or live IPs!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24098759
It may simply be that the PIX is not allowing ICMP replies.

If you have an access-list applied to the outside interface make sure to include this:

For example:

access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098837
PIX CONFIG
=====================================
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123 encrypted
passwd 123 encrypted
hostname CedarRapids-Pix
domain-name mycompany.com
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list ipsec permit ip 10.75.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat permit ip 10.75.2.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging queue 100
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.75.2.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.1.1.200 source inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map dynmap 10 ipsec-isakmp
crypto map dynmap 10 match address ipsec
crypto map dynmap 10 set peer me.me.me.me
crypto map dynmap 10 set transform-set myset
crypto map dynmap interface outside
isakmp enable outside
isakmp key ******** address me.me.me.me netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:515657131f024f65043d72ca460f48c1
: end
CedarRapids-Pix#
====================================

ROUTER
====================================
Building configuration...

Current configuration : 1587 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CedarRapids
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 123
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip sla monitor 1
 type echo protocol ipIcmpEcho 63.252.28.153 source-ipaddr 63.252.28.154
 tos 160
 timeout 2000
 tag MPLS-MONITOR
 frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
track 10 rtr 1
 delay down 5 up 5
!
class-map match-all CLASS-EF-QOS
 match access-group 101
class-map match-all CLASS-SET-DSCP-EF
 match access-group 100
!
!
policy-map T1-QOS
 class CLASS-EF-QOS
  priority 128
policy-map POLICY-SET-DSCP-EF
 class CLASS-SET-DSCP-EF
  set dscp ef
!
!
!
interface Loopback0
 ip address 10.75.1.99 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.75.2.1 255.255.255.0
 ip helper-address 10.1.1.206
 speed auto
 full-duplex
 service-policy input POLICY-SET-DSCP-EF
!
interface Serial0/0
 ip address 63.252.28.154 255.255.255.252
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-policy output T1-QOS
!
ip route 0.0.0.0 0.0.0.0 63.252.28.153 track 10
ip route 0.0.0.0 0.0.0.0 10.75.2.2 200
ip route 216.10.240.54 255.255.255.255 10.75.2.2
no ip http server
!
!
!
access-list 100 permit ip host 10.75.2.6 any
access-list 101 permit ip any any dscp ef
!
!
!
control-plane
!
!
line con 0
line aux 0
 modem InOut
 transport input all
 speed 57600
line vty 0 4
 password 123
 login
!
end

CedarRapids#
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24098863
Okay, add this to the PIX:

access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside

You should be able to ping 1.1.1.1 afterwards.
0
 
LVL 16

Expert Comment

by:btassure
ID: 24098919
Bah. Beat me to it!
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098926
I should say in the instance above 216.10.240.54 is the IP I am trying to get to...
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098941
That did it.. now help me understand why?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24098946
Yeah, I figured <8-]

Anyway, the ICMP rules allow any IP on the Internet to reply.
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098948
I had this..

access-list acl_out permit icmp any any
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24098959
The PIX by default blocks ICMP replies from the outside/Internet even though it allows the TCP/UDP return traffic (yeah, its silly).  So, connectivity was there all along, the PIX was simply blocking ICMP.
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098963
Also why doenst the pix show up on my traceroute from my 1751?
Thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24098966
>I had this..

access-list acl_out permit icmp any any

Yeah, but it wasn't applied to the interface with the "access-group" command.
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098968
JF - I had this
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098971
access-list acl_out permit icmp any any
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24098983
>Also why doenst the pix show up on my traceroute from my 1751?

A PIX by default doesn't appear as a hop in the traceroute.  It "stealths" itself for a little added security (not really).  In later versions of code you can make it decrement the TTL (make it appear in a traceroute).
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24098996
Ahh... I see so if I just added it then it would work the way I had it before?
Also strange that I have ALWAYS been able to ping the outside interface from another host? So why was that?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24099002
In summary:

>That did it.. now help me understand why?
The PIX by default blocks ICMP replies from the outside/Internet even though it allows the TCP/UDP return traffic (yeah, its silly).  So, connectivity was there all along, the PIX was simply blocking ICMP.

>I had this..
access-list acl_out permit icmp any any
Yeah, but it wasn't applied to the interface with the "access-group" command.

>Also why doenst the pix show up on my traceroute from my 1751?
A PIX by default doesn't appear as a hop in the traceroute.  It "stealths" itself for a little added security (not really).  In later versions of code you can make it decrement the TTL (make it appear in a traceroute).
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24099020
>Also strange that I have ALWAYS been able to ping the outside interface from another host? So why was that?

The PIX interfaces are treated differently.  Pinging the PIX itself doesn't use the interface access-lists.  Use the "icmp permit or icmp deny" commands to block/permit ICMP to itself.  By default, all interfaces reply to ICMP.
0
 
LVL 1

Author Comment

by:NTGuru705
ID: 24099054
awesome.. I just applied the acl_out to the interface and that fixed it.
Thanks for your help..!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now