Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

Routing doesn't work on PIX for a certain interface

Ilya Semenov
Level 1
Level 1

‎02-25-2015 03:03 AM - edited ‎03-05-2019 12:52 AM

Hello, everybody!

I've added vlan interface (it is required for Wi-Fi guest network) to my PIX and can't configure routing for it. It has IP 10.10.10.1.

All the clients in 10.10.10.x network could ping this address and vice versa, but nothing outside it (I mean, Internet). 

 

Could you please tell me, what should I add to my current conf to fix the issue?

Many thanks in advance!


pixfirewall# sh runn
: Saved
:
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet1 vlan10 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan10 dmz1 security99
hostname pixfirewall
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit ip any any
access-list acl_out permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside х.х.х.х 255.255.255.252
ip address inside 192.168.13.3 255.255.255.0
ip address dmz1 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.13.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.13.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 192.168.13.1 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.13.2 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 10000 192.168.13.2 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3333 192.168.13.165 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3334 192.168.13.181 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.13.21 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp х.х.х.х pptp 192.168.13.20 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 55554 192.168.13.247 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.13.1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 55555 192.168.13.97 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5060 192.168.13.121 5060 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 х.х.х.х 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:03:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server radius protocol radius
aaa-server radius max-failed-attempts 3
aaa-server radius deadtime 10
aaa-server userauth protocol radius
aaa-server userauth max-failed-attempts 3
aaa-server userauth deadtime 10
aaa-server userauth (inside) host 192.168.13.1 ctrehbnb timeout 10
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no floodguard enable
telnet 192.168.13.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.13.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
pixfirewall#

 

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2015 03:15 AM

Add this -

nat (dmz1) 1 10.10.10.0 255.255.255.0

also you really shouldn't have "permit ip any any" as your outside acl as in effect this turns your firewall into a router ie. everything is allowed in.

Jon

0 Helpful

Ilya Semenov
Level 1
Level 1
In response to Jon Marshall

‎02-25-2015 03:30 AM

Thanks!

 

It's done - nat (dmz1) 1 10.10.10.0 255.255.255.0

 

Unfortunately, the same result - "no route to host" pinging 8.8.8.8...

From controller, from APs, from Clients...

 

Do you have other ideas?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Ilya Semenov

‎02-25-2015 04:08 AM

If the clients are saying no route to host when you try to get to the internet then they have no default gateway set.

Have you set the default gateway on the clients to be the dmz1 IP address ?

Jon

0 Helpful
Customers Also Viewed These Support Documents