05-04-2007 06:18 AM - edited 02-21-2020 01:30 AM
Have the following problem after inserting a PIX: location1 cant reach location2, and location2 cant reach the internet. RIP is default and passive. The config worked when a Win2003 did the route. A trace to location2 shows in the PIX log as missing route, however the route table exists.
Any clues?
05-07-2007 01:50 PM
hmmm, no replies...
The Pix501 has a routing table to the networks, via RIP - but when doing a traceroute from a client the log says "no route to host". It's if there is no one home.
Have I locked the inside interface down too hard, or does this work just as the vpn-tunnels - where you explicitly have to allow traffic to loopback to the next hop?
05-07-2007 11:21 PM
Hi
Is the pix the default route for your client PC's then ?. So if a pc in location 1 wants to get to location 2 then the traffic first goes to the pix ?
What version of pixos are your running and what is the hardware version of your pix.
Jon
05-08-2007 07:17 AM
Yes it's the default route. And, yes the cliens should receive local RIP from the PIX so traffic is going the right direction.
Version of PIX is following:
CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 1022 3000 Host Bridge
00 11 00 8086 1209 Ethernet 9
00 12 00 8086 1209 Ethernet 10
Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000
05-08-2007 10:22 AM
Hi
Just one more question to clarify. You say that the clients should receive local RIP from pix. What do you mean by this. Do the clients have routes to location 2 or when they want to talk to location 2 does traffic go via pix (which is what your first post seems to suggest).
If traffic has to go via the pix then it loosk like it won't work from your topology as the traffic would have to go in and come out out on the same interface. You can't do this with pix v6.x. You can do this with v7.0 but unfortunately pix 501 will not run v7.0.
Can you clarify about the questions.
Jon
05-08-2007 10:45 AM
Does the traffic actually do a loopback ?? As I said we replaced a Windows 2003 server that had routing enabled. I don't know if the clients got the routes added or if the traffic went in and out at the same interface then.
I do however have an ASA 5505 in stock - are you saying this one would work better?
05-08-2007 12:49 PM
Hi
It depends on what routes are on your clients. Assuming your clients are running windows bring up a cmd prompt and type
"netstat -nr"
This shows you the routing table. Do your clients have a route to location 2 or do they just have a default route pointing to the pix ?
An ASA would allow traffic in and out of the same interface - it's called "hairpinning".
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide