Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
5
Helpful
5
Replies

Routing problem from inside to inside via PIX

Go to solution
khuysmans
Level 1
Level 1

‎03-09-2006 07:26 AM - edited ‎02-21-2020 12:45 AM

Hello,

I am using a Cisco PIX 506E Version 6.3(4).

My inside interface is 192.168.5.1/24. The interface connects to a Cisco Catalyst 4503, the interface in question is in VLAN 20.

On the 4053, I have recently created a new VLAN (30). This VLAN holds 192.168.6.0/24. On the 4503 I have created a VLAN interface, which acts as default gateway for the 192.168.6.0/24 network, IP: 192.168.6.2. The IP of the VLAN interface on the 4503 belonging to VLAN 20 is 192.168.5.2.

My hosts in VLAN 30 have default gateway 192.168.6.2 - the Cisco 4503.

My hosts in VLAN 20 have default gateway 192.168.5.1 - the Cisco PIX.

I am trying to establish connectivity between the 2 networks. When I try to connect from 192.168.5.10 (a random host) to 192.168.6.10 (another random host), I see that the PIX complains about not having a route to 192.168.6.10 from 192.168.5.10.

(PIX-6-110001 No route to 192.168.6.10 from 192.168.5.10)

I did however add a route on the PIX which shows up as such:

inside 192.168.6.0 255.255.255.0 192.168.5.2 1 OTHER static

So I am trying to explain the PIX that it can find 192.168.6.0/24 via 192.168.5.2.

With regards to NAT'ing:

global (outside) 1 interface

nat (inside) 0 access-list acl-nonat

nat (inside) 1 access-list acl-inside 0 0

I thought for a moment that it might have had something do with NAT'ing, so I added this to the ACL acl-nonat:

access-list acl-nonat line 4 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt=0)

access-list acl-nonat line 4 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt=0)

access-list acl-nonat line 4 permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt=0)

access-list acl-nonat line 4 permit ip 192.168.6.0 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt=0)

Because I don't want the PIX to NAT this traffic.

After all this, it is still complaining about not having a route.

Does anybody have an idea what I might still try to fix this?

With kind regards,

Kevin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to khuysmans

‎03-09-2006 04:48 PM

Unfortunately, PIX does not route or redirect traffic off the interface it received the packet. Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received.

Reference CCO URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

Another suggestion to you is, if there's only a handful of hosts on the 192.168.5.0/24 NET that need to get to the 192.168.6.0/24 NET then you can add a static route on them to use 4503 as the next hop to get to 192.168.6.0/24.

Let me know if it helped.

--Sundar

View solution in original post

0 Helpful
5 Replies 5

Go to solution
sstudsdahl
Level 4
Level 4

‎03-09-2006 08:13 AM

The issue that you are running into is that the PIX won't issue an ICMP redirect to tell your client on the 192.168.5.0/24 network that it needs to send traffic to the 192.168.5.2 address in order to reach the 192.168.6.0/24 network.

You have a couple of options that you can use to fix this issue. The first would be to point the default gateway of the systems on the 192.168.5.0/24 network (excluding the PIX) to the 192.168.5.2 address on the 4503. This will allow all the systems on the 192.168.5.0/24 network to communicate to the 192.168.6.0/24 network. As long as the 4503 has as default route that points at the PIX (192.168.5.1), the 4503 will then issue the ICMP redirect to tell the devices on the 192.168.5.0/24 subnet to send traffic to 192.168.5.1 for all networks that the 4503 does not have a route for.

The second option, and probably the cleaner option, would be to setup a new network between the PIX and the 4503. You could change the port on the 4503 that the PIX connects to into a routed port for the new subnet. You could also create a new VLAN and required "interface vlan" and then move the port that the PIX connects to into the new VLAN. With this option, you would still need to change the clients on the 192.168.5.0/24 subnet to point at the IP address assigned to the 4503 interface. An easy way to do this would be to move the 192.168.5.1/24 IP to the 4503 so you don't have to touch any of the clients. If you clients are using DHCP it may be jsut as easy to update the default gateway for these system here too. The "cleaner" portion of this options is just getting rid of all the ICMP redirects that would be sent in the first option.

HTH,

Steve

Go to solution
khuysmans
Level 1
Level 1
In response to sstudsdahl

‎03-09-2006 08:46 AM

Hello Steve,

I had already considered the first option, but there are a few servers in the 192.168.5.0/24 subnet that are configured with a fixed IP and I want to avoid touching it. Furthermore the 192.168.5.0/24 is the "main subnet" on this site (holds the most users). The 192.168.6.0/24 holds a couple of users and is only temporary.

So what I really want to achieve is make this work with my PIX within the current configuration. If I could somehow get the PIX to route traffic to 192.168.6.0/24 correctly to 192.168.6.2 when it is sourced in 192.168.5.0/24, I would be happy.

Note that this doesn't merely concern ICMP traffic, it is the same for TCP traffic. The PIX complains it doesn't have a route to 192.168.6.0/24. When I manually try to reach the 192.168.6.0/24 network from the PIX it works thoug, it seems to only fail when my traffic is sourced in 192.168.5.0/24.

With kind regards,

Kevin

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to khuysmans

‎03-09-2006 04:48 PM

Unfortunately, PIX does not route or redirect traffic off the interface it received the packet. Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received.

Reference CCO URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

Another suggestion to you is, if there's only a handful of hosts on the 192.168.5.0/24 NET that need to get to the 192.168.6.0/24 NET then you can add a static route on them to use 4503 as the next hop to get to 192.168.6.0/24.

Let me know if it helped.

--Sundar

0 Helpful

Go to solution
khuysmans
Level 1
Level 1
In response to sundar.palaniappan

‎03-10-2006 02:49 AM

Thanks Sundar,

That is what I feared. The PIX does not route traffic to the interface it received the traffic on.

I have changed the default gateway for all hosts on all VLAN's to the 4503, since that one should be able to do all the routing I want it to do. It is working correctly now.

Thanks for all the suggestions everyone!

With kind regards,

Kevin

0 Helpful

Go to solution
victory_cm
Level 1
Level 1

‎03-09-2006 11:17 PM

I hope you cannot re route the packets through the PIX to 192.168.6.0 network through the same interface where the packet enter the PIX from other network.Instead PIX can have 2 interfaces(Inside & outside).

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card