The thing is, it's working with 0.0.0.1 but i can't explain? Most logical is to add the next hope here, but why is it working with 0.0.0.1?

Regards,

Jeroen Vermeulen

Hi,

Just a left-field question; do you have OSPF running on that firewall?

Thanks,

Glen

Hello Jeroen,

this looks like a dummy IP address, I have seen 0.0.0.1 before on BSD firewalls, where it is being used as a placeholder. I can only imagine that the PIX considers this an IP address configured on an interface, and then applies the following rule:

If the route command uses the IP address from one of the interfaces on the security appliance as the gateway IP address, the security appliance will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

Just a thought, and admittedly somewhat of a speculation...

Regards,

GNT

Hereby the runnign config:

PIX Version 7.2(1)

!

hostname pixfirewall

domain-name bla.nl

enable password xxx

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.133.197 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.2.3.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2xx.xxxxxxxYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name bla.nl

access-list 100 extended permit icmp any any

access-list 100 extended permit icmp any any time-exceeded inactive

access-list 100 extended permit icmp any any unreachable inactive

access-list 100 extended permit tcp any any inactive

pager lines 24

logging enable

logging buffered errors

logging trap debugging

logging asdm informational

logging facility 23

logging queue 0

logging host inside 10.2.3.54

logging debug-trace

mtu outside 1500

mtu inside 1500

failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 0.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username root password 0xxxxxxxxxxxU encrypted privilege 15

http server enable

http 10.2.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp nat-traversal 20

telnet timeout 5

ssh 10.2.3.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end