PIX static routes

Openallnight
Openallnight used Ask the Experts™
on
Hi,
Q. I am unable to ping or connect to hosts on a subnet.
The new subnet  connected to a Cat2950 switch and that is connected to a PIX-501.
I am able to ping hosts on the subnet (ping inside 192.168.30.14) from the PIX (PIX IP 192.168.1.1).
I have added the route on the PIX;
PDP501(config)# sh route
        outside 0.0.0.0 0.0.0.0 66.11.70.14 1 OTHER static
        outside x.x.x.x 255.255.255.248 x.x.x.x CONNECT static
        inside 192.168.0.0 255.255.128.0 192.168.1.1 1 CONNECT static
        inside 192.168.0.0 255.255.0.0 192.168.1.1 1 OTHER static
        inside 192.168.30.0 255.255.255.0 192.168.1.1 1 OTHER static
I have tries nonat acls to no avail. What am I missing
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
as long as you have following line your PIX will recognize the inside network
-->sh run | inc route

route inside 192.168.30.0 255.255.255.0 192.168.1.1 1

hope the host has default gateway correctly configured and has firewall and other softwares like VPN client etc disable (which blocks ping)

Q is confusing , are you facing issue with 192.168.30.x or some new subnet?

Author

Commented:
Hi, I apologize for any confusion; The inside network setup on eth1 is 192.168.1.X
I have this in the sh route
 inside 192.168.30.0 255.255.255.0 192.168.1.1 1 OTHER static
I can ping from the pix command line e.g. 'ping inside 192.168.30.13' and receive a response
I cannot however ping from a PC on the inside 192.168.1.x subnet

Commented:
Hey

Is the pc on the inside subnet using the pix as its default gateway?  The PIX is not a router and cannot send traffic back in the same interface it originated from.
If 192.168.1.1 is a router, then realistically you should have it as your default gateway for the pcs and then route 0.0.0.0 (internet traffic) to the PIX

If you could post the config of your pix and router you have on your lan this will make more sense

cheers
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
: Saved
: Written by enable_15 at 13:56:06.989 CDT Wed Jul 8 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password HGTqhzkbgujgrLZBb5WRJc encrypted
passwd oFJ1zzOigfbfhqe4ZUsHYn encrypted
hostname PDP501
domain-name yadyyadayada
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit gre any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq 44444
access-list acl_out deny ip any any
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
logging trap emergencies
logging host inside 192.168.1.162
icmp deny any echo outside
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.99 255.255.255.248
ip address inside 192.168.1.1 255.255.128.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.3.200-192.168.3.250
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 44444 192.168.1.162 3389 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.111 1
inside 192.168.30.0 255.255.255.0 192.168.1.1 1 OTHER static
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer Freebee
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key *********** netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.39 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.39 255.255.255.255 inside
ssh timeout 10
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.2
vpdn group 1 client configuration wins 192.168.1.2
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username williethejacka$$ password *************
terminal width 80
Cryptochecksum:eb84017a51ec5f9253bc7ac4a28fb50f
: end
Commented:
Ok - your route for 192.168.30.0 is doing nothing as your PIX interface is already using 192.168.1.1 255.255.128.0 - the 192.168.30.0 subnet range exists within 255.255.128.0 so there is no need for a route.

What is the ip address, subnet mask and default gateway of the pc having an issue?

Commented:
Also - what is the subnet mask and default gateway of the machine 192.168.30.13?
I am guessing you have a subnet mask issue on your inside

Agreed. THe 17 bit subnet mask is very large, and would be a very large broadcast domain. The router config would have been helpful here too. But my guess is that this mask is the issue. The pix thinks 192.168.30.13 is on the same subnet and therefore arps for it. Your route statement says the same thing - that 192.168.30.0/24 is reachable via 192.168.1.1 - the inside interface if the PIX, so the pix will arp for it. If 192.168.30.0/24 is on the other side of an internal router, your next hop IP would be the router interface IP not the Pixes. But getting back to the Mask issue, what do the IP mask and gateway look like on your internal machines?

Author

Commented:
Will dig deeper and find answers...

Commented:
Hi Openallnight

You accepted Boilermaker85s comment as the sole answer when he/she was agreeing with me and reiterating what I had just said.  Was this intentional?

If not, please contact community support to amend or I can if you like


thx

Author

Commented:
No nothing intentional! Is there an option to split points or add on?

Commented:
no probs - I've put in a support req on it.

Yes you can split points.  See the help section:
http://www.experts-exchange.com/help.jsp

And choose points and split.  If you want to split points you can choose an accept for the most relevant and assists for other posts that also helped.  

cheers

Author

Commented:
Thanks, for the tip that suggested 'looking at the router config' the probb was return routing on the other switch, I had no access to that switch, when I was able to get in I completed the route. There is still a hairpin issue but I can work around it with permanent static routes on the PC I uses to manage apps on the .13 subnet...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial