Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
3
Replies

Routes not working between Pix and Router

Go to solution
lostrouter
Level 1
Level 1

‎12-30-2005 04:39 AM - edited ‎03-03-2019 01:17 AM

Ive had this problem for a few days now and just can't seem to figure out what I am doing wrong. I have a pix501 setup as my gateway to the internet. Then a 2611 connects to the pix, and finally a 2950 connects to the 2611.

Pix:

Outside > Dynamic IP

Inside > 192.168.1.1

2600:

e0/0 > 192.168.1.2

e0/1 > 172.17.1.1

e0/1.2 > 172.17.2.1

e0/1.3 > 172.17.3.1

e0/1.4 > 172.17.4.1

e0/1.5 > 172.17.5.1

So computers connected to the 2950 switch running on any of the VLans can ping each other and work with each other. If I put a computer directly on my Pix network (192.168.1.xxx) that computer can not talk with any of the computers on the Vlans.

What makes it really odd to me atleast is the pix 501 can ping any of the vlan gateways like 172.17.3.1, but not ping 172.17.3.100 which I know is a computer that is active.

I keep thinking maybe I need some sort of access-list to allow 172.17.x.x traffic to pass through the pix but I am not sure on that.

Pix relevent config stuff (I think)

nat (inside) 0 access-list 104

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 172.17.0.0 255.255.0.0 0 0

route inside 172.17.1.0 255.255.255.0 192.168.1.2 1

route inside 172.17.2.0 255.255.255.0 192.168.1.2 1

route inside 172.17.3.0 255.255.255.0 192.168.1.2 1

route inside 172.17.4.0 255.255.255.0 192.168.1.2 1

route inside 172.17.5.0 255.255.255.0 192.168.1.2 1

2611 route configs

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.1.0 255.255.255.0 192.168.1.1

If anyone has any ideas It would be greatly appreciated. Im pretty confused on this one.

Thanks all,

LR

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johansens
Level 4
Level 4

‎12-30-2005 05:00 AM

Hi there,

Check this config to see if you are deviating much from it:

object-group network internal-lans

network-object 192.168.1.0 255.255.255.0

network-object 172.17.1.0 255.255.255.0

network-object 172.17.2.0 255.255.255.0

network-object 172.17.3.0 255.255.255.0

network-object 172.17.4.0 255.255.255.0

network-object 172.17.5.0 255.255.255.0

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

icmp-object redirect

access-list from-inside permit icmp object-group internal-lans any object-group icmp-allowed

access-list from-inside permit

access-list from-inside deny ip any any

access-group from-inside in interface inside

icmp permit any echo inside

icmp permit any echo-reply inside

icmp permit any unreachable inside

icmp permit any time-exceeded inside

If you put a computer on the 192.168.1.x network, you'll have to use the router as the default gateway (192.168.1.2) because of the security-limitation in the PIX which prohibits a packet to leave the same interface in entered!!

And.. do this on the 2600:

no ip route 192.168.1.0 255.255.255.0 192.168.1.1

Did it help?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
johansens
Level 4
Level 4

‎12-30-2005 05:00 AM

Hi there,

Check this config to see if you are deviating much from it:

object-group network internal-lans

network-object 192.168.1.0 255.255.255.0

network-object 172.17.1.0 255.255.255.0

network-object 172.17.2.0 255.255.255.0

network-object 172.17.3.0 255.255.255.0

network-object 172.17.4.0 255.255.255.0

network-object 172.17.5.0 255.255.255.0

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

icmp-object redirect

access-list from-inside permit icmp object-group internal-lans any object-group icmp-allowed

access-list from-inside permit

access-list from-inside deny ip any any

access-group from-inside in interface inside

icmp permit any echo inside

icmp permit any echo-reply inside

icmp permit any unreachable inside

icmp permit any time-exceeded inside

If you put a computer on the 192.168.1.x network, you'll have to use the router as the default gateway (192.168.1.2) because of the security-limitation in the PIX which prohibits a packet to leave the same interface in entered!!

And.. do this on the 2600:

no ip route 192.168.1.0 255.255.255.0 192.168.1.1

Did it help?

0 Helpful

Go to solution
lostrouter
Level 1
Level 1
In response to johansens

‎12-30-2005 05:16 AM

Thanks so much, solved the problem. This creates one more question though. I have VPN setup on my PIX and when a client comes in and connects to it he gets a 192.168.1.x address. Is there any way I can give that client a 172.17.x.x address cause obviously they wont be able to do much on the 192.168.1.x network.

Thanks though for the help on the problem, helped alot!

LR

0 Helpful

Go to solution
johansens
Level 4
Level 4
In response to lostrouter

‎12-30-2005 05:33 AM

I'm not sure I understand the reason for you wanting to have the VPN clients coming in at a 172.17.x.x address...

First of all.. it would be very impractical to 'extend' one of your existing 172.17.x.x network over to the 192.168.1.x side...

Second .. what more can you do using a new 172.17.x.x network (f.ex. 172.17.6.0/24) than you can do by using the already established 192.168.1.x network?

Based on your input so far, I can't really see the reason, unless you have routing to other locations which doesn't route the 192.168.1.x network...

Did it help?

0 Helpful
Customers Also Viewed These Support Documents