Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
2
Replies

PIX routing to the wrong interface, even though destination is directly connected.

colin.nguyen
Level 1
Level 1

‎05-03-2011 05:36 PM

PIX 525 6.3(4)120

Hello, I am trying to allow clients coming in from my "DMZ6"  interface with source IPs from the subnet 192.168.2.0 /24 to ping and  access hosts on my "DMZ1" interface with destination IPs in the subnet  10.5.11.0 /24. I think I have the associated static NATs and the ACLs  set up to allow this to happen. What I have noticed from syslog messages  is that the PIX is trying to build the TCP connection to the "Inside"  interface, rather than to DMZ1. Even though the destination host  (10.5.11.12) is directly connected on DMZ1, the PIX is still trying to  send the traffic to the "Inside" instead. I tried adding a host route to  force 10.5.11.12 /32 pointing to DMZ1 and the PIX still tries to send  the packets Inside. This only seems to happen when I try to go from DMZ6  to DMZ1. If I try to access hosts located in DMZ3 for example, which is  also a directly connected interface on the PIX, it appropriately builds  the connection to DMZ3. Here are the pertinent rules. Am I missing  something? Why would the PIX want to build the connection to the Inside,  even though it knows that the destination host IP is directly connected  to DMZ1?

ip address DMZ1 10.5.11.1 255.255.255.0

ip address DMZ6 10.5.16.1 255.255.255.0

ip address inside 10.5.18.17 255.255.255.240

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security90

nameif ethernet7 DMZ6 security40

access-list DMZ1_policy permit icmp any any

access-list DMZ6_policy permit icmp any any

access-list DMZ6_policy permit tcp any any eq 3389

access-group DMZ1_policy in interface DMZ1

access-group DMZ6_policy in interface DMZ6

static (DMZ1,DMZ6) 10.5.11.0 10.5.11.0 netmask 255.255.255.0

static (DMZ6,DMZ1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

SYSLOG MESSAGE:

May 03 2011 04:42:56 ARA-01 : %PIX-6-302013:

Built inbound TCP connection -1212474367 for DMZ6:  192.168.2.30/1098 (192.168.2.30/1098) to inside:10.5.11.12/3389  (10.5.11.12/3389)

05/02/11 21:43:04 10.5.18.17_pix 10.5.18.17 21 6 May 03 2011 04:43:04 ARA-01 : %PIX-6-110001:

No route to 10.5.11.12 from 192.168.2.30

05/02/11 21:44:58 10.5.18.17_pix 10.5.18.17 21 6 May 03 2011 04:44:58 ARA-01 : %PIX-6-302014:

Teardown TCP connection -1212474367 for DMZ6:192. 168.2.30/1098 to inside:10.5.11.12/3389 duration 0 :02:02 bytes 0 SYN Timeout

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-03-2011 07:15 PM

The following is not needed in the configuration:

static (DMZ6,DMZ1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Please also "clear xlate" after you make any changes to NAT/Static NAT statement.

Can you also please advise that you have the following route in place:


route DMZ6 192.168.2.0 255.255.255.0 10.5.16.x


Are you able to ping to and from 192.168.2.30 and 10.5.11.12?

0 Helpful

colin.nguyen
Level 1
Level 1
In response to Jennifer Halim

‎05-04-2011 10:39 AM

Yes, I have:

route DMZ6 192.168.2.0 255.255.255.0 10.5.16.4

And I am unable to ping to and from 192.168.2.30 and 10.5.11.12.

Thanks

0 Helpful
Customers Also Viewed These Support Documents