03-08-2004 08:09 AM - edited 03-02-2019 02:07 PM
Help,
Problem with intervlan routing and default route to Broadband internet via a pix.
SetUP: 2900 switch, 2621 router, Pix 515.
Switch has 5 vlans 1-5 and a Dot1q trunk to the 2621 where this router has sub interfaces for the InterVlan Routing. This router also has a default route of 0.0.0.0 to the Pix ( as shown in config ) The switch also has a connection via Vlan 1 to the Pix, and the Pix is aware of all vlan subnets and routes back to the 2621 router !
The problem i have is all users on the switch apart from Vlan 1 which is on the same subnet as the Pix cannot use/route to the internet.
Please see config's as below, i cant work out why this doesn't work !!!
2950 config :
sh run
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
description sales
switchport access vlan 253
!
interface FastEthernet0/2
description accounts
switchport access vlan 252
!
interface FastEthernet0/3
description H&R
switchport access vlan 251
!
i
!
interface FastEthernet0/23
description Connection To PIX
!
interface FastEthernet0/24
description Trunk To Router
switchport trunk encapsulation dot1q
switchport mode trunk
2621 Router :
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 xxxxx
enable password xxxx
!
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed 100
!
interface FastEthernet0/0.1
description Management
encapsulation dot1Q 1 native
ip address 192.168.254.254 255.255.255.0
!
!
interface FastEthernet0/0.251
description H&R
encapsulation dot1Q 251
ip address 192.168.251.254 255.255.255.0
!
interface FastEthernet0/0.252
description accounts
encapsulation dot1Q 252
ip address 192.168.252.254 255.255.255.0
!
interface FastEthernet0/0.253
description sales
encapsulation dot1Q 253
ip address 192.168.253.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.253
no ip http server
!
!
!
!
Pix.
pix inside add 192.168.254.253 255.255.255.0
03-08-2004 08:45 AM
I think this is a routing issue related to the PIX.
As long as each vlan can communicate with each other inter vlan routing is working properly.
On the PIX have you added static routes for all those subnets/vlans.
The commands would look like this.
ip route inside 192.168.251.0 255.255.255.0 192.168.254.254
ip route inside 192.168.252.0 255.255.255.0 192.168.254.254
ip route inside 192.168.253.0 255.255.255.0 192.168.254.254
This way the PIX knows where to route traffic coming from the internet to the appropriate subnet.
Hope this helps.
03-10-2004 10:53 AM
yep
i put these routes into the pix ! but the only subnet that could get out onto the internet was the same subnet the pix interface is on ie : 192.168.254.0
03-10-2004 11:36 AM
How about your NAT statement
does it look like nat (inside) 1 0 0 ? or is it restricted to a particular subnet ?
03-10-2004 07:33 PM
Add this to 2621 Router and try again:
router rip
network 192.168.251.0
network 192.168.252.0
network 192.168.253.0
network 192.168.254.0
ip route 0.0.0.0 192.168.254.253
03-11-2004 01:04 AM
Add this to 2621 Router and try again:
router rip
network 192.168.251.0
network 192.168.252.0
network 192.168.253.0
network 192.168.254.0
ip default-gateway 192.168.254.253
03-12-2004 07:11 AM
Hi,
I'm not entirely sure why Maiweiguan is telling you to run RIP as this won't achieve anything. The fact that you have only posted 1 line of your PIX config makes it very difficult to troubleshoot this. As mentioned by the previous poster, this could be a NAT problem, a routing problem or even an ACL problem, the fact is we won't know until you post your full configs.
One thing to try in the mean time is a 'show log' on the PIX (make sure your logging level for the internal buffer is set to debug first). This will tell you if traffic is being droppped by an ACL or if there is no valid NAT statement for the particular host addresses. It will also tell you if there is 'No route to host'.
Good luck
Teggs
03-14-2004 02:47 PM
Here's my PIX comfig. The config for the 2900 swicth and 2621 router is on the first thread !!
PIX CONFIG :
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 inside security99
enable password encrypted
passwd encrypted
hostname xxx
domain-name xxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.224
access-list inside_access_in remark xxxx
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxxxxxxxxx
ip address inside 192.168.1.253 255.255.255.0
ip address inside int2 192.168.254.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool xxxxx 192.168.5.1-192.168.5.20
pdm location 192.168.1.51 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.224 outside
pdm location 10.1.200.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.238.126 1
route inside 10.1.200.0 255.255.255.0 192.168.1.254 1
route inside 10.2.200.0 255.255.255.0 192.168.1.254 1
route inside 192.168.253.0 255.255.255.0 192.168.254.254 1
route inside 192.168.252.0 255.255.255.0 192.168.254.254 1
route inside 192.168.251.0 255.255.255.0 192.168.254.254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxxxxxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup drdvpn address-pool xxxxx
vpngroup drdvpn dns-server 192.168.1.4
vpngroup drdvpn wins-server 192.168.1.4 192.168.1.1
vpngroup drdvpn default-domain xxxxx
vpngroup drdvpn idle-time 1800
vpngroup drdvpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.40-192.168.1.49 inside
dhcpd dns xxxxxxxxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxx
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
[OK]
03-14-2004 10:06 PM
Why is intf2 also named as inside ?
The following access-list
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any
has been applied to the inside interface using the following command:
access-group inside_access_in in interface inside
You need to permit all the remaining subnets in this access-list, so that these subnets have access to internet.
Hope that helps.
03-15-2004 08:36 AM
Sorry guys, here's my actuall pix config. The one i posted earlier was and old version.
It doesn't look like there is any ACL stopping the subnets from accessing the internet.
Pix Config
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security99
enable password encrypted
passwd encrypted
hostname pix
domain-name xxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.9 exch2003
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224
access-list 101 permit tcp any host xxxxxxx eq smtp
access-list 101 permit tcp any host xxxxxxxx eq www
access-list 101 remark ActiveSync
access-list 101 permit tcp any host xxxxxxxx eq 990
access-list 101 remark ActiveSync
access-list 101 permit tcp any host xxxxxxxx eq 999
access-list 101 remark ActiveSync
access-list 101 permit tcp any host xxxxxxxx eq 5678
access-list 101 remark ActiveSync
access-list 101 permit tcp any host xxxxxxxxxx eq 5679
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxxxxxxxxxx
ip address inside 192.168.1.253 255.255.255.0
ip address intf2 192.168.254.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool xxxxxxxxx 192.168.5.1-192.168.5.20
pdm location 192.168.1.51 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.224 outside
pdm location 10.1.200.0 255.255.255.0 inside
pdm location 10.2.200.0 255.255.255.0 inside
pdm location exch2003 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.0 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.50.0 255.255.255.0 inside
pdm location 192.168.253.0 255.255.255.0 inside
pdm location 192.168.251.0 255.255.255.0 inside
pdm location 192.168.252.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (intf2) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxxxxxxx exch2003 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx 1
route inside 10.1.200.0 255.255.255.0 192.168.1.254 1
route inside 10.2.200.0 255.255.255.0 192.168.1.254 1
route inside 192.168.200.0 255.255.255.0 192.168.1.254 1
route inside 192.168.251.0 255.255.255.0 192.168.254.254 1
route inside 192.168.252.0 255.255.255.0 192.168.254.254 1
route inside 192.168.253.0 255.255.255.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
03-17-2004 01:36 AM
Hi,
You need to change:
route inside 192.168.251.0 255.255.255.0 192.168.254.254 1
route inside 192.168.252.0 255.255.255.0 192.168.254.254 1
route inside 192.168.253.0 255.255.255.0 192.168.254.254 1
to:
route intf2 192.168.251.0 255.255.255.0 192.168.254.254 1
route intf2 192.168.252.0 255.255.255.0 192.168.254.254 1
route intf2 192.168.253.0 255.255.255.0 192.168.254.254 1
This is purely because the host 192.168.254.254 hangs off of the intf2 interface.
Good Luck
Teggs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide