No Route Error

mcpjkeegan · ‎04-17-2006

I have a PIX with four interfaces

Outside – Security 0

Extranet – Security 15 - 10.3.0.0/16

DMZ – Security 50 - 10.2.0.0/16

Inside – Security 100

I am having problems getting traffic between the Extranet and DMZ interfaces. Traffic between the other interfaces works fine.

When trying to ping or WWW between Extranet and DMZ interfaces I see the following error message “No route to 10.3.1.3 from 10.2.0.13”. Since these networks are directly connected and I can ping these address from the PIX. Also since I can access each of these interfaces from the Inside interface, I doubt it really is a routing error.

I think it’s a translation issue, but can’t figure out what. I’d like to have the address from extranet and DMZ to be translated to themselves (i.e. traffic from 10.2.0.1 on the DMZ should be from 10.2.0.1 on the extranet).

Please check out my config and let me know if you have any idea. Config has been pruned of non-related info.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 extranet security15

nameif ethernet4 eth4 security20

nameif ethernet5 failover security25

hostname bri52-zfw01

access-list from-dmz permit tcp any any object-group Webservices

access-list from-dmz permit tcp object-group PS-Webservers any object-group PS_JOLT_PROD

access-list from-dmz permit tcp host 10.2.0.24 host 10.1.2.74 object-group CumulusPorts

access-list from-dmz permit tcp any host 10.1.2.23 object-group VBulletin

access-list from-dmz permit udp any host 10.1.2.23 eq pcanywhere-status

access-list from-dmz permit tcp any object-group Mail-servers_ref_2 object-group Mail-services

access-list from-dmz permit udp any object-group Mail-servers_ref_2 eq 113

access-list from-dmz permit tcp any object-group Remote-access-internal_ref_1 object-group External-services

access-list from-dmz permit udp any object-group Remote-access-internal_ref_1 object-group External-services-udp

access-list from-dmz permit tcp object-group Webservers object-group MerlinAppServers_ref object-group Merlin-app-ports

access-list from-dmz permit udp object-group Webservers object-group MerlinAppServers_ref object-group Merlin-app-shared-folder

access-list from-dmz permit icmp any any

access-list from-dmz permit tcp any any object-group Domain-trust-TCP

access-list from-dmz permit udp any any object-group Domain-trust-UDP

access-list from-dmz permit udp any any

access-list from-dmz permit tcp any host 65.122.194.108 eq smtp

access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL

access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0

access-list VPN-IRL remark Allow VPN connection to IRL

access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0

access-list VPN-IRL remark Allow VPN connection to IRL from RA VPN Pool

access-list VPN-IRL permit ip 172.16.1.0 255.255.255.0 172.18.0.0 255.255.0.0

access-list VPN-HIL remark Allow VPN connection to HIL

access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0

access-list VPN-HIL remark Allow VPN connection to HIL from RA VPN Pool

access-list VPN-HIL permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list NO-NAT remark Don.t NAT traffic sent to IRL

access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0

access-list NO-NAT remark Don.t NAT traffic sent to HIL

access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0

access-list NO-NAT-DMZ remark Don't NAT traffic sent to IRL

access-list NO-NAT-DMZ permit ip 10.2.0.0 255.255.0.0 172.18.0.0 255.255.0.0

access-list NO-NAT-DMZ remark Don't NAT traffic sent to HIL

access-list NO-NAT-DMZ permit ip 10.2.0.0 255.255.0.0 172.20.0.0 255.255.0.0

access-list NO-NAT-DMZ permit ip 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0

Remainder of config next post

mcpjkeegan · ‎04-17-2006

access-list from-extranet remark Allow all traffic from SSL VPN devices

access-list from-extranet permit ip object-group hosts-priv-Remote-Access-Pool any

access-list NO-NAT-extranet remark Don't NAT traffic sent to IRL

access-list NO-NAT-extranet permit ip 10.3.0.0 255.255.0.0 172.18.0.0 255.255.0.0

access-list NO-NAT-extranet permit ip 172.16.1.0 255.255.255.0 172.18.0.0 255.255.0.0

access-list NO-NAT-extranet remark Don't NAT traffic sent to HIL

access-list NO-NAT-extranet permit ip 10.3.0.0 255.255.0.0 172.20.0.0 255.255.0.0

access-list NO-NAT-extranet permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu extranet 1500

mtu eth4 1500

mtu failover 1500

ip address outside 65.122.194.253 255.255.255.0

ip address inside 10.4.2.21 255.255.255.0

ip address dmz 10.2.0.1 255.255.0.0

ip address extranet 10.3.1.1 255.255.0.0

ip address eth4 10.4.0.5 255.255.255.252

ip address failover 10.4.0.9 255.255.255.252

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 access-list NO-NAT-DMZ

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

nat (extranet) 0 access-list NO-NAT-extranet

nat (extranet) 1 0.0.0.0 0.0.0.0 0 0

static (inside,extranet) 172.18.0.0 172.18.0.0 netmask 255.255.0.0 0 0

static (inside,extranet) 172.20.0.0 172.20.0.0 netmask 255.255.0.0 0 0

static (inside,extranet) 10.0.0.0 10.0.0.0 netmask 255.192.0.0 0 0

static (inside,extranet) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

static (dmz,extranet) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0

access-group from-internet in interface outside

access-group inside_access_in in interface inside

access-group from-dmz in interface dmz

access-group from-extranet in interface extranet

routing interface inside

ospf priority 0

ospf message-digest-key xxxx

router ospf 1

network 10.0.0.0 255.192.0.0 area 10.0.0.0

area 10.0.0.0 authentication message-digest

log-adj-changes

redistribute static subnets

default-information originate

route outside 0.0.0.0 0.0.0.0 65.122.194.254 1

route extranet 172.16.1.0 255.255.255.0 10.3.1.5 1

route outside 198.147.174.72 255.255.255.255 65.122.194.251 1

route outside 198.151.185.90 255.255.255.255 65.122.194.251 1

route outside 198.151.185.91 255.255.255.255 65.122.194.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp dmz