Shakthi777
asked on
Routing Issue to another network via Cisco PIX
Please find my running config on Cisco PIX and the attached picture for the network overview.
I just need allow traffic between 192.168.2.0 and 192.168.120.0.
Please help me and thank a lot !
I just need allow traffic between 192.168.2.0 and 192.168.120.0.
Please help me and thank a lot !
FW1(config)# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx2.3x.4.2 255.255.255.224
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
ospf cost 10
!
interface Ethernet2
description LAN/STATE Failover Interface
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name company.local
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192
access-list 110 extended permit tcp any host xx2.3x.4.28 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.8 eq ftp
access-list 110 extended permit tcp any host xx2.3x.4.8 eq www
access-list 110 extended permit tcp any host xx2.3x.4.8 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.10 eq 3389
access-list 110 extended permit tcp any host xx2.3x.4.14 eq www
access-list 110 extended permit tcp any host xx2.3x.4.15 eq www
access-list 110 extended permit tcp any host xx2.3x.4.16 eq www
access-list 110 extended permit tcp any host xx2.3x.4.18 eq www
access-list 110 extended permit tcp any host xx2.3x.4.9 eq https
access-list 110 extended permit tcp any host xx2.3x.4.9 eq smtp
access-list 110 extended permit tcp any host xx2.3x.4.9 eq pop3
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.20 eq 8081
access-list 110 extended permit tcp any host xx2.3x.4.21 eq www
access-list 110 extended permit tcp any host xx2.3x.4.19 eq 8080
access-list 110 extended permit tcp any host xx2.3x.4.23 eq www
access-list 110 extended permit tcp any host xx2.3x.4.13 eq www
access-list inside_nat0_outbound_1 extended permit ip any 192.168.3.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx2.3x.4.25-xx2.3x.4.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx2.3x.4.19 8080 192.168.2.69 www netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.22 www 192.168.2.82 8080 netmask 255.255.255.255
static (inside,outside) tcp xx2.3x.4.13 www 192.168.2.83 4000 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.8 192.168.2.47 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.10 192.168.2.90 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.14 192.168.2.81 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.15 192.168.2.11 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.16 192.168.2.68 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.18 192.168.2.111 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.9 192.168.2.14 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.20 192.168.2.13 netmask 255.255.255.255
static (inside,outside) xx2.3x.4.21 192.168.2.112 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 xx2.3x.4.1 1
route inside 192.168.120.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 set security-association lifetime seconds 28800
crypto map outside_map0 65535 set security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4b9b4e031fcf799faac72b844be3c7df
: end
FW1(config)#
picture1.jpg
HI,
192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
192.168.2.0 and 192.168.120.0. is on inside leg.. so please view it on 'another router'
ASKER
Assuming that hosts on the 192.168.2.0/24-network uses .254 as default gateway (please confirm): YES
ikalmar: asa still needs to do hair-pinning.
/Kvistofta
/Kvistofta
ASKER
ikalmar: here u go...
and I'll be available after about 2 hours from now to accept your other queries !
Thanks a lot for you great help !
and I'll be available after about 2 hours from now to accept your other queries !
Thanks a lot for you great help !
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.10 (type 8, code 0)
ASKER
plz note it's should be :192.168.120.2
I change it below
I change it below
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
%PIX-3-305006: portmap translation creation failed for icmp src inside:192.168.2.25 dst inside:192.168.120.2 (type 8, code 0)
Hi Shakthi777,
The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing. Both your global and specific NAT pools do not allow for un-natted traffic.
Try adding an additional access-group specifically for the 120.0 route.
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0
Paul
The problem appears to be that the PIX is trying to NAT the traffic, because you have no route for it to take without NAT'ing. Both your global and specific NAT pools do not allow for un-natted traffic.
Try adding an additional access-group specifically for the 120.0 route.
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.120.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list inside_nat0_outbound_1
nat (inside) 2 0.0.0.0 0.0.0.0
Paul
Hairpinning on the PIX is difficult, but can be done.
same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
ASKER
Hi lrmoore: it's nice to see in this thread..
BTW your option didn't worked.. plz advise and thanks !
BTW your option didn't worked.. plz advise and thanks !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks lrmoore... it worked !
same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
same-security permit intra-interface
route inside 192.168.120.0 255.255.255.0 192.168.2.1
static (inside,inside) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
ASKER
ohh it's lost the connectivity from 192.168.220.0 to 192.168.2.0... please advice lrmoore !
add:
same-security permit intra-interface
fixup protocol icmp
If it doesnt work, add the following before trying again, collect the output and post it here.
logging on
logging cons 4
logging mon 4
term mon
debug icmp trace
/Kvistofta