Solved

Cannot remove old VPN static route from Pix

Posted on 2013-12-18
3
385 Views
Last Modified: 2013-12-25
Recently I removed a vpn that was routing traffic for a few subnets out my pix.
It looks like the pix will not remove the static routes that it created automatically.
Below are my static routes that are in the config and below that is the current routing table
The BOLD ones are the ones that should just go away.
On the peer firewall they went away as soon as I got rid of the access list pertaining to the vpn.  I have tried clear xlates, clear ip route ouside....but still cannot get it to go away.

Any help is appreciated.

route outside 0.0.0.0 0.0.0.0 99.123.123.1 1
route inside 10.0.0.0 255.255.255.0 192.168.13.1 1
route inside 10.0.10.0 255.255.255.0 192.168.13.1 1
route inside 10.0.11.0 255.255.255.0 192.168.13.1 1
route inside 10.0.13.0 255.255.255.0 192.168.13.1 1
route inside 10.0.14.0 255.255.255.0 192.168.13.1 1
route inside 10.0.16.0 255.255.255.0 192.168.13.1 1
route inside 192.168.0.0 255.255.0.0 192.168.13.1 1
route inside 192.168.1.164 255.255.255.255 192.168.13.1 1


Gateway of last resort is 99.123.123.1 to network 0.0.0.0

R    192.168.12.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
C    192.168.13.0 255.255.255.0 is directly connected, inside
R    192.168.14.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.15.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.8.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.9.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.10.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
C    99.123.123.0 255.255.255.192 is directly connected, outside
R    192.168.40.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.11.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.4.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
R    192.168.5.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:22, inside
S    10.0.10.0 255.255.255.0 [1/0] via 192.168.13.1, inside
S    10.0.11.0 255.255.255.0 [1/0] via 192.168.13.1, inside
S    10.0.14.0 255.255.255.0 [1/0] via 192.168.13.1, inside
S    10.0.13.0 255.255.255.0 [1/0] via 192.168.13.1, inside
S    10.0.0.0 255.255.255.0 [1/0] via 192.168.13.1, inside
C    10.1.0.0 255.255.255.0 is directly connected, dmz
S    10.0.16.0 255.255.255.0 [1/0] via 192.168.13.1, inside
S    10.10.254.0 255.255.255.0 [1/0] via 99.123.123.1, outside
R    192.168.6.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:23, inside
R    192.168.7.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:23, inside
S    192.168.254.0 255.255.255.0 [1/0] via 99.123.123.1, outside
R    192.168.1.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:23, inside
S    192.168.1.164 255.255.255.255 [1/0] via 192.168.13.1, inside
R    192.168.2.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:23, inside
R    192.168.3.0 255.255.255.0 [120/1] via 192.168.13.1, 0:00:23, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 99.123.123.1, outside
S    192.168.0.0 255.255.0.0 [1/0] via 192.168.13.1, inside
0
Comment
Question by:brian_appliedcpu
  • 2
3 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 39732569
Have you tried:

no route outside 10.10.254.0 255.255.255.0  99.123.123.1
no route outside 192.168.254.0 255.255.255.0 99.123.123.1
0
 
LVL 2

Accepted Solution

by:
brian_appliedcpu earned 0 total points
ID: 39733148
Yes, it said they did not exist.
We eventually rebooted the firewall and it cleared the routes.
0
 
LVL 2

Author Closing Comment

by:brian_appliedcpu
ID: 39738972
Rebooting the router flushed the routes.   I think the firewall was just being stupid.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now