cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

360
Views
10
Helpful
3
Replies
Beginner

Adding a static Route

Hi All,

In one of my site i  cant able to reach the Router.

i want to Add the Route in Router and PIX Firewall

ip route 10.8.39.180 255.255.255.224 10.8.37.153

 

Router Config

Building configuration...

Current configuration : 5921 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname IIBF_Chennai_1841
!
boot-start-marker
boot system flash flash:c1841-advsecurityk9-mz.124-25a.bin
boot-end-marker
!
security passwords min-length 8
logging buffered 4096 informational
no logging console
no logging monitor
enable secret 5 $1$6iT7$6CgDsCex4Kbyvf/GBUiZ6/
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
clock timezone IST 5 30
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
isdn switch-type basic-net3
!
!
username cisco password 7 121A0C0411042C557878
username cneta secret 5 $1$m0P9$b6JBcgua3ccFe9rJ676t.0
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.16
encapsulation dot1Q 1618
ip address 10.8.37.154 255.255.255.252
no cdp enable
!
interface FastEthernet0/1.1618
shutdown
no cdp enable
!
interface BRI0/0/0
description ****04424805100***
no ip address
encapsulation ppp
shutdown
dialer pool-member 10
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface Serial0/1/0
bandwidth 256
no ip address
encapsulation ppp
clock rate 2000000
!
interface Serial0/1/1
bandwidth 256
ip address 172.16.1.2 255.255.255.252
encapsulation ppp
!
interface Dialer10
description ** ISDN TO MUMBAI**
ip address 192.168.203.2 255.255.255.252
encapsulation ppp
dialer pool 10
dialer remote-name IIBF3745
dialer idle-timeout 300
dialer-group 1
ppp authentication chap
ppp multilink
!
router eigrp 1
redistribute connected
redistribute static
network 0.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.203.1 200
ip route 10.8.37.228 255.255.255.252 10.8.37.153
ip route 10.8.39.180 255.255.255.224 10.8.37.153

ip route 10.10.233.64 255.255.255.254 10.8.37.153
ip route 192.168.2.0 255.255.255.0 10.8.37.153
ip route 192.168.2.0 255.255.255.0 192.168.203.1 200
ip route 192.168.3.0 255.255.255.0 10.0.0.2
ip route 192.168.4.0 255.255.255.0 10.8.37.153
ip route 192.168.4.0 255.255.255.0 192.168.203.1 200
ip route 192.168.5.0 255.255.255.0 10.8.37.153
ip route 192.168.5.0 255.255.255.0 192.168.203.1 200
ip route 192.168.6.0 255.255.255.0 10.0.0.2
ip route 192.168.8.0 255.255.255.0 10.8.37.153
ip route 192.168.8.0 255.255.255.0 192.168.203.1 200
ip route 192.168.10.0 255.255.255.0 10.8.37.153
ip route 192.168.10.0 255.255.255.0 192.168.203.1 200
ip route 192.168.11.0 255.255.255.0 10.8.37.153
ip route 192.168.11.0 255.255.255.0 192.168.203.1 200
ip route 192.168.19.0 255.255.255.0 10.8.37.153
ip route 192.168.19.0 255.255.255.0 192.168.203.1 200
ip route 192.168.21.0 255.255.255.0 10.8.37.153
ip route 192.168.21.0 255.255.255.0 192.168.203.1 200
ip route 192.168.30.0 255.255.255.0 10.8.37.153
ip route 192.168.30.0 255.255.255.0 192.168.203.1 200
ip route 192.168.201.0 255.255.255.0 10.8.37.153
ip route 192.168.201.0 255.255.255.0 192.168.203.1 200
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 120 requests 100
ip tacacs source-interface FastEthernet0/0
!
logging source-interface FastEthernet0/0
logging 192.168.201.16
access-list 98 permit 192.168.201.13
access-list 98 permit 192.168.201.16
access-list 100 deny eigrp any any
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
snmp-server community !!bf RW 98
snmp-server host 192.168.201.13 version 2c !!bf
no cdp run
!
!
!
!
!
tacacs-server host 192.168.201.11
tacacs-server directed-request
tacacs-server key 7 015247065D2B0B1B
!
control-plane
!
!
banner login ^CC

*********************************************************
* *
* *
* IIIII IIIII BBBB FFFFF *
* I I B B F *
* I I BBBB FFF *
* I I B B F *
* IIIII IIIII BBBB F *
* *
* *
* You are being watched. If you are an unauthorized *
* user logoff immediately *
* *
*********************************************************
^C
privilege interface level 15 shutdown
privilege interface level 15 ip address
privilege interface level 15 ip
privilege interface level 15 description
privilege interface level 15 no shutdown
privilege interface level 15 no ip address
privilege interface level 15 no ip
privilege interface level 15 no description
privilege interface level 0 no
privilege configure level 15 interface
privilege exec level 15 write
privilege exec level 15 configure terminal
privilege exec level 15 configure
privilege exec level 15 terminal monitor
privilege exec level 1 terminal
privilege exec level 15 show running-config
privilege exec level 1 show
!
line con 0
exec-timeout 3 0
password 7 070C285F4D0639544541
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 3 0
password 7 111D580212005A5E57
transport input ssh
line vty 5 15
password 7 111D580212005A5E57
!
scheduler allocate 20000 1000
ntp clock-period 17178542
ntp server 192.168.19.200
end

 

PIX Firewall Config

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 serv security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name wr
clock timezone IST 5 30
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network IIBFNW
network-object 192.168.21.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group network IIBFhttp
network-object 192.168.21.11 255.255.255.255
network-object 192.168.21.12 255.255.255.255
network-object 192.168.21.13 255.255.255.255
network-object 192.168.21.14 255.255.255.255
object-group network IIBFChennai
network-object 192.168.6.11 255.255.255.255
network-object 192.168.6.21 255.255.255.255
network-object 192.168.6.13 255.255.255.255
network-object 192.168.6.20 255.255.255.255
network-object 192.168.6.18 255.255.255.255
object-group service XManager tcp
port-object range 6000 6010
access-list NO-NAT permit ip 192.168.3.0 255.255.255.0 any
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list acl-outside permit tcp object-group IIBFhttp 192.168.6.0 255.255.255.0 eq 3389
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.27 eq telnet
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.32 eq telnet
access-list acl-outside permit udp object-group IIBFhttp host 192.168.3.26 eq xdmcp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq cmd
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq login
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq exec
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq ssh
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq cmd
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq login
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq exec
access-list acl-outside permit udp object-group IIBFhttp host 192.168.3.31 eq xdmcp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq telnet
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq telnet
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.31 eq ftp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 3389
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq ftp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 1522
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq sqlnet
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 1158
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 1157
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 1156
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq 1810
access-list acl-outside permit tcp object-group IIBFNW host 192.168.3.31 eq 7779
access-list acl-outside permit tcp object-group IIBFNW host 192.168.3.31 eq 7778
access-list acl-outside permit tcp object-group IIBFNW host 192.168.3.31 eq 7777
access-list acl-outside permit tcp host 192.168.11.15 host 192.168.3.26 eq ftp
access-list acl-outside permit tcp host 192.168.11.72 host 192.168.3.26 eq ftp
access-list acl-outside permit tcp host 192.168.11.7 host 192.168.3.26 eq ftp
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.26 eq ftp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 5560
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 3389
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq ftp
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.26 eq 1522
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 1522
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq sqlnet
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 1158
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 1157
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.26 eq 1156
access-list acl-outside permit icmp any any
access-list acl-outside permit tcp object-group IIBFNW 192.168.6.0 255.255.255.0 eq 2425
access-list acl-outside permit udp object-group IIBFNW 192.168.6.0 255.255.255.0 eq 2425
access-list acl-outside permit udp host 192.168.201.16 any eq snmp
access-list acl-outside permit tcp any host 192.168.3.254 eq telnet
access-list acl-outside permit tcp host 192.168.21.11 host 192.168.3.26 eq ssh
access-list acl-outside permit tcp host 192.168.21.11 host 192.168.3.31 eq ssh
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.26 eq sqlnet
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.31 eq cmd
access-list acl-outside permit tcp 192.168.10.0 255.255.255.0 host 192.168.3.26 eq cmd
access-list acl-outside permit tcp host 192.168.8.70 host 192.168.6.13 eq 2967
access-list acl-outside permit tcp host 192.168.8.70 host 192.168.6.11 eq 2967
access-list acl-outside permit tcp host 192.168.201.24 host 192.168.3.254 eq www
access-list acl-outside permit udp host 192.168.201.13 host 192.168.3.254 eq snmp
access-list acl-outside permit tcp object-group IIBFhttp host 192.168.3.31 eq ssh
access-list acl-outside permit udp host 192.168.201.13 host 10.0.0.2 eq snmp
access-list acl-outside permit ip host 192.168.201.20 host 10.0.0.2
access-list acl-outside permit tcp host 192.168.10.31 host 192.168.3.31 eq ssh
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq ftp-data
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq https
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq ftp
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq domain
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq imap4
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq smtp
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq pop3
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list acl-inside permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.31 eq 1810
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.31 eq 7779
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.31 eq 7778
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.31 eq 7777
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.26 eq telnet
access-list acl-inside permit tcp object-group IIBFChennai host 192.168.3.31 eq telnet
access-list acl-inside permit udp 192.168.6.0 255.255.255.0 any eq domain
access-list acl-inside permit icmp 192.168.6.0 255.255.255.0 any
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq 587
access-list acl-inside permit tcp host 192.168.6.11 host 192.168.8.70 eq 2967
access-list acl-inside permit tcp 192.168.6.0 255.255.255.0 any eq 995
access-list acl-serv permit tcp host 192.168.3.31 object-group IIBFhttp object-group XManager
access-list acl-serv permit tcp host 192.168.3.26 object-group IIBFhttp object-group XManager
access-list acl-serv permit icmp 192.168.3.0 255.255.255.0 any
access-list acl-serv permit tcp host 192.168.3.31 any eq smtp
access-list acl-serv permit tcp host 192.168.3.26 any eq smtp
access-list acl-serv permit tcp host 192.168.3.31 192.168.10.0 255.255.255.0 eq sqlnet
access-list acl-serv permit tcp host 192.168.3.26 192.168.10.0 255.255.255.0 eq sqlnet
access-list acl-serv permit udp host 192.168.3.254 host 192.168.19.200 eq ntp
access-list acl-serv permit tcp host 192.168.3.254 host 192.168.201.11 eq tacacs
access-list acl-serv permit tcp host 192.168.3.31 any eq domain
access-list acl-serv permit tcp host 192.168.3.26 any eq domain
access-list acl-serv permit udp host 192.168.3.26 any eq domain
access-list acl-serv permit udp host 192.168.3.31 any eq domain
access-list acl-serv permit ip host 192.168.3.254 host 192.168.201.13
access-list NONAT permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NONAT_SERVER permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging on
logging trap informational
logging device-id ipaddress outside
logging host outside 192.168.201.16
logging host outside 192.168.201.20
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu serv 1500
ip address outside 10.0.0.2 255.255.255.0
ip address inside 192.168.6.100 255.255.255.0
ip address serv 192.168.3.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address serv
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (serv) 0 access-list NONAT_SERVER
nat (serv) 1 192.168.3.0 255.255.255.0 0 0
static (serv,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
access-group acl-serv in interface serv
established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535
established udp 0 177 permitto udp 0 permitfrom udp 177
established tcp 0 6000 permitto tcp 6000 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 10.0.0.204 1
route outside 10.0.0.0 255.0.0.0 10.0.0.1 1
route outside 10.10.233.0 255.255.255.0 10.8.37.153 1
route outside 59.185.0.0 255.255.0.0 10.0.0.1 1
route outside 172.16.0.0 255.255.0.0 10.0.0.1 1
route outside 192.168.0.0 255.255.0.0 10.0.0.1 1
route outside 192.168.10.0 255.255.255.0 10.0.0.1 1
route outside 192.168.10.44 255.255.255.255 10.0.0.1 1
route outside 192.168.201.0 255.255.255.0 10.0.0.1 1
route outside 202.159.0.0 255.255.0.0 10.0.0.1 1
route outside 203.94.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.168.19.200 source outside
http server enable
http 192.168.201.24 255.255.255.255 outside
http 192.168.201.20 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.6.0 255.255.255.0 inside
snmp-server host outside 192.168.201.13 poll
no snmp-server location
no snmp-server contact
snmp-server community !!bf
snmp-server enable traps
floodguard enable
telnet 192.168.201.24 255.255.255.255 outside
telnet 192.168.6.11 255.255.255.255 inside
telnet 192.168.3.254 255.255.255.255 serv
telnet timeout 5
ssh 192.168.21.120 255.255.255.255 outside
ssh 192.168.201.16 255.255.255.255 outside
ssh 192.168.21.11 255.255.255.255 outside
ssh 192.168.21.12 255.255.255.255 outside
ssh 192.168.201.13 255.255.255.255 outside
ssh 192.168.201.24 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
terminal width 511
Cryptochecksum:28aabfe73c687a51ed971ec71a28b765
: end

 

Kindly help to solve the issue

 

 

 

 

Everyone's tags (1)
3 REPLIES 3
VIP Collaborator

Re: Adding a static Route

Hello, 

It looks like 10.8.37.153 is the next hop from the router's FastEthernet0/1.16 interface.  So your config "ip route 10.8.39.180 255.255.255.224 10.8.37.153" will work in the router.

Then, it seems that the PIX's outside interface is on the same network as the router's FastEthernet0/0 interface. So you would need to point the route in the PIX to the router:

route outside 10.8.39.180 255.255.255.224 10.0.0.1 1

However, it doesn't appear as if it would be necessary since the PIX already has the route for all of the 10.x.x.x network already in place:

route outside 10.0.0.0 255.0.0.0 10.0.0.1 1

Hope this helps

 

Beginner

Re: Adding a static Route

Hi Chrihussey,

 

We tried that but cannot able to reach 10.8.39.180 Traffic. so we plan for bypass the firewall. Removing Firewall From Network.

 

Kindly help for Routing 

VIP Collaborator

Re: Adding a static Route

I think the routing may be correct, it's the security policy in the PIX that's probably denying the traffic. I don't see where it is allowed.

Regards

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards