Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
2
Replies

possible PIX routing table conflict

jvhaysx
Level 1
Level 1

‎10-21-2005 06:49 AM - edited ‎02-21-2020 12:28 AM

Problem: possible PIX routing table conflict

Replaced existing routes but new routes are not taking effect. I want traffic bound for 10.67.77.222 to be routed to the PIX outside but it consistently builds a connection to the inside and gives a 'no route' error. See below.

HOST SESSION

---

[rootjh@testmachine] /home/rootjh-> sftp testuser@10.67.77.222

Connecting to 10.67.77.222...

ssh: connect to host 10.67.77.222 port 22: A remote host did not respond within the timeout period.

Connection closed

[rootjh@testmachine] /home/rootjh->

SYSLOG SESSION (PIX LOG)

---

syslog01:/var/log # tail -f /var/log/PIX | grep 10.67.77.222

Oct 21 09:28:28 10.67.11.11 Oct 21 2005 09:28:25: %PIX-6-302013: Built inbound TCP connection 17056297 for dmz:192.168.33.44/40956 (192.168.33.44/40956) to inside:10.67.77.222/22 (10.67.77.222/22)

Oct 21 09:28:28 10.67.11.11 Oct 21 2005 09:28:25: %PIX-6-110001: No route to 10.67.77.222 from 192.168.33.44

Oct 21 09:28:48 10.67.11.11 Oct 21 2005 09:28:46: %PIX-6-110001: No route to 10.67.77.222 from 192.168.33.44

Oct 21 09:30:30 10.67.11.11 Oct 21 2005 09:30:27: %PIX-6-302014: Teardown TCP connection 17056297 for dmz:192.168.33.44/40956 to inside:10.67.77.222/22 duration 0:02:01 bytes 0 SYN Timeout

PIX CONFIG

---

**Previous route was removed and the range split in two:

no route inside 10.67.0.0 255.255.0.0 10.67.1.1 1

route inside 10.67.0.0 255.255.192.0 10.67.1.1 1

route inside 10.67.100.0 255.255.252.0 10.67.1.1 1

**This route was added (routes to outside, not inside):

route outside 10.67.77.222 255.255.255.255 10.68.68.68 1

access-list dmz permit tcp host 192.168.33.44 host 10.67.77.222 eq ssh

static (dmz,outside) 10.67.77.222 10.67.77.222 netmask 255.255.255.255 0 0

route outside 10.67.77.222 255.255.255.255 10.68.68.68 1

I have done a 'clear xlate' for 10.67.77.222 and it pops into the xlate table as soon as I try the connection. Again, the connection is made in the wrong direction.

I have searched the config for all references to the new IP address (10.67.77.222)

I suspect the PIX is remembering the old route, where all 10.67.0.0/16 pointed to the inside and is refusing to allow the new /32 host route to go to the outside.

I am planning a reboot of the PIX for next week, unless someone has any ideas.

Thanks,

0 Helpful
2 Replies 2

arunsing
Level 1
Level 1

‎10-21-2005 09:34 AM

Hi

I suspect that you have a static statement like

which has the entire 10.67.77.0 pointing to inside. This could be happening due to that. Pix for routing the traffic would look at the translation rule as well and if there is any translation rule that make this ip visible on the inside you would get this error.

It would be helpful if you paste the entire static statements and routes that you have.

0 Helpful

itchampnz
Level 1
Level 1
In response to arunsing

‎10-21-2005 12:21 PM

yes this will be a static enrty more than likely, please post some more config

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card