Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
6
Replies

PIX routing between VLANS

jmarr
Level 1
Level 1

‎01-01-2005 09:18 PM - edited ‎02-20-2020 11:50 PM

I’m trying to configure the following

I have a Pix525 with 3 physical interfaces. The DMZ interface is configured for VLANS. Only 2 vlans are used, native (matching up to VLAN1 on my switch) is used for my DMZ servers and VLAN 55 is used to connect to a VPN 3005. A /30 is used to number VLAN 55 on the PIX to the private interface on the VPN 3005. A /24 is statically routed from the PIX, pointing to the IP address on private interface for use by various VPN clients.

My problem is that when I try to access anything from the VPN client /24 going to the DMZ interface, I get this error in the firewall log:

%PIX-6-110001: No route to 10.101.0.5 from 10.1.2.2

I can access everything from the VPN on the internal interface, I can’t figure out what’s misconfigured.

The security setting for the interfaces are configured as follows:

dmz = 50

vpn = 25

Any help will be greatly appreciated.

0 Helpful
6 Replies 6

arousch.sprint
Level 1
Level 1

‎01-03-2005 12:27 PM

Call me nutty - but I'm guessing the PIX has no route between those 2 subnets :) How are you routing between the 2 VLANS?

0 Helpful

svuorilehto
Level 1
Level 1

‎01-04-2005 11:53 PM

Hi,

I have exactly same problem. We have dmz-interface, 2 vlans used. Physical vlan is 100 (DMZ) and logical 200 (DMZ2).

Security levels are:

DMZ = 50

DMZ2 = 60

When connecting from DMZ2 to DMZ I get that 110001 log message saying there's no route from DMZ2 to DMZ...

When connecting from DMZ to DMZ2, I get "Built outbound TCP connection" -message saying that connection is built, but right after comes "Deny TCP (no connection)" -message...

sh route -command gives following output regarding to those interfaces:

C 10.100.100.0 is directly connected, DMZ

C 10.200.200.0 is directly connected, DMZ2

So I'd say that those should see each other...

Following traffic goes alright:

DMZ --> Inside

DMZ2 --> Inside

DMZ --> Outside

DMZ2 --> Outside

Access-lists and nat/globals are configured so that everything should work, but...

Is this some sort of bug? Can't PIX route traffic on vlans? I'm puzzled, please if someone has any suggestions I'd be very delighted...

*******

Saska

0 Helpful

klwilson
Level 1
Level 1
In response to svuorilehto

‎01-05-2005 04:48 PM

Our PIXs route fine vlan-vlan. Our configuration is

interface ethernet3 vlan90 physical

interface ethernet3 vlan96 logical

interface ethernet3 vlan97 logical

interface ethernet3 vlan98 logical

!

nameif ethernet0 inside security100

nameif ethernet1 Failover security80

nameif ethernet2 StateFull security85

nameif ethernet3 v security0

nameif vlan96 x security25

nameif vlan97 y security50

nameif vlan98 z security0

whereas vlan90 isn't a traffic carying vlan. So difference would be you're routing between physical to logical; I'm routing between logical to logical. You might try to convert vlan 100 to a logical vlan, see if it makes a difference.

0 Helpful

svuorilehto
Level 1
Level 1
In response to klwilson

‎01-06-2005 11:48 PM

Hi there, and thanks for the answer!

I tried that change from physical to logical, but still no effect...

What PIX version are you using? We have 6.3(1).

*******

Saska

0 Helpful

klwilson
Level 1
Level 1
In response to svuorilehto

‎01-10-2005 09:31 AM

6.3(3). Can you post a config to look at?

0 Helpful

svuorilehto
Level 1
Level 1
In response to klwilson

‎01-10-2005 11:29 PM

Hi and thanks,

Here's our config, at least strongly edited one... I have included lines I think are relevant, if there are any others you would like to examine, please let me know.

There are no route lines, because both interfaces are directly connected.

*******

Saska

----------------clip--------------------

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet2 vlan200 logical

interface ethernet2 vlan100 logical

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf7 security14

nameif ethernet3 intf3 security15

nameif vlan200 DMZ2 security60

nameif vlan100 DMZ security50

no ip address intf3

no ip address intf7

ip address DMZ2 10.200.200.1 255.255.255.224

ip address DMZ 10.100.100.1 255.255.255.0

arp timeout 14400

nat (inside) 0 access-list NO_NAT_INSIDE

nat (DMZ2) 0 10.200.200.0 255.255.255.224 0 0

nat (DMZ) 0 access-list NO_NAT_DMZ

static (inside,DMZ2) 10.18.0.0 10.18.0.0 netmask 255.255.0.0 0 0

static (DMZ2,DMZ) 10.200.200.0 10.200.200.0 netmask 255.255.255.224 0 0

----------------clip--------------------

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card