PIX &; tagged RIPv2 routes
Hello!
I noticed that the PIX cannot use RIPv2 routing updates which have marked lines (zero tag). These routing updates, I got this error message:
107002: pkt RIP was due by 10.1.20.1: version = 2 on the interface outside
What is the function or the bug?
Hello
You are on the money. The PIX does not install RIP v2 with set of routes. This is by design, but is probably something we could change quite easily (the FWSM currently accepts these roads). My guess is that no one has ever asked before. If it's something you want to see added, contact the local Cisco account team and see about getting a high to this improved feature. Sorry for the news, but I hope that this helps to answer your question.
Scott
Tags: Cisco Security
Similar Questions
-
Hello
I found there is a field in the header of RIPv2 which is: routing domain.
It seems to be like a process id (as vlan id) so that routers have not the same routing domain will not process packets of RIPv2.
1. am I right?
2. how to change the value of this field?
Thank you
Hello
I think that I now know more about the "routing domain".
First of all, RIPv2 has been codified in 1388 RFC. Indeed, this RFC defined a field routing domain inside the RIP message header. The routing domain has been defined as follows (RFC 1388 Section 3.2):
The Routing Domain (RD) number is the number of the routing process to which this update belongs. This field is used to associate the routing update to a specific routing process on the receiving router. The RD is needed to allow multiple, independent RIP "clouds" to co- exist on the same physical wire. This gives administrators the ability to run multiple, possibly parallel, instances of RIP in order to implement simple policy. This means that a router operating within one routing domain, or a set of routing domains, should ignore RIP packets which belong to another routing domain. RD 0 is the default routing domain.
However, in the RFC 1721 "RIP Version 2 Protocol Analysis", article 2 stipulates:
The significant change from RFC 1388 is the removal of the domain field. There was no clear agreement as to how the field would be used, so it was determined to leave the field reserved for future expansion.
Accordingly, the RFC RIPv2 updates, namely the current 2453 RFC and RFC 1723 removed the routing domain label and instead treat the must-be-zero field, or else not obliterated. Your Wireshark obviously believes that the RFC 1388 RIPv2 is running and try to interpret a field not used in the header of RIPv2.
I discovered later that this behavior in Wireshark can be configured: choose Edit-> preferences, and then click protocols, find the RIP, and there you will see a box saying 'field display routing domain '. Uncheck the box.
Best regards
Peter
-
I have, in a site, a PIX 515 connected to a C827H (an ADSL router as PPPoE). This router provides access to the Net. In another site, I have another PIX (a 506) and another router C827H which gave access to the Net. Both sites have access to the net without problems. But when I have what it takes to establish a VPN (Ipsec) tunnel between the two sites, across the Net, I can t make the connection. The ADSL router has their public IP is negotiated with the provider. In my lab, I simulate this two connections put two PIX (a 520 and a 506) back to back with a crossover cable. I used the same configuration. The thing worked. But in my two sites that does not work. Why?
I see, in this case. I suggest that change you the name of the ACL defined in crypto card, try not to use the same ACL you used for nat0, it poses problems sometimes.
Try and see if it works for you.
-Jimmy
-
Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ
Hi all
I tried to get this scenario to work before I put implement but am getting the error on router B.
01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1
Here are the following details for networks
Router B
Address series 82.12.45.1/30
fast ethernet 192.168.20.1/24 address
PIX
outside the 83.1.16.1/30 interface eth0
inside 192.168.50.1/30 eth1 interface
Router
Fast ethernet (with Pix) 192.168.50.2/30 address
Loopback (A network) 192.168.100.1/24 address
Loopback (Network B) 192.168.200.1/24 address
Loopback (Network C) 192.168.300.1/24 address
Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.
Config router B
======================
name of host B
!
Select the 5 secret goat.
!
username 7 privilege 15 password badger badger
iomem 15 memory size
IP subnet zero
!
!
no ip domain-lookup
IP - test.local domain name
!
property intellectual ssh delay 30
property intellectual ssh authentication-2 retries
!
crypto ISAKMP policy 5
md5 hash
preshared authentication
Group 2
ISAKMP crypto key VPN2VPN address 83.1.16.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp - esp-md5-hmac VPN
!
crypto map 5 VPN ipsec-isakmp
defined by peer 83.1.16.1
PFS group2 Set
match address VPN
!
call the rsvp-sync
!
interface Loopback10
20.0.2.2 the IP 255.255.255.255
!
interface Tunnel0
bandwidth 1544000
20.0.0.1 IP address 255.255.255.0
source of Loopback10 tunnel
tunnel destination 20.0.2.1
!
interface FastEthernet0/0
Description * inside the LAN CONNECTION *.
address 192.168.20.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface Serial0/0
Description * INTERNET ACCESS *.
IP 88.12.45.1 255.255.255.252
NAT outside IP
VPN crypto card
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
Router eigrp 1
network 20.0.0.0
No Auto-resume
!
overload of IP nat inside source list NAT interface Serial0/0
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0
no ip address of the http server
!
!
NAT extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
list of IP - VPN access scope
permit ip host 20.0.2.2 20.0.2.1
!Config PIX
====================
PIX Version 7.2 (4)
!
pixfirewall hostname
names of
name 20.0.2.2 B_LOOP
name 88.12.45.1 B_WANIP
!
interface Ethernet0
Description * LINK to ISP *.
nameif outside
security-level 0
IP 83.1.16.1 255.255.255.252
!
interface Ethernet1
Description * LINK TO LAN *.
nameif inside
security-level 100
IP 192.168.50.1 255.255.255.252
!
passive FTP mode
the ROUTER_LOOPS object-group network
network-object 20.0.2.0 255.255.255.252
access allowed extended VPN ip host 20.0.2.1 B_LOOP list
access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
Access ip allowed any one extended list ACL_OUT
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 192.168.50.0 255.255.255.252
NAT (inside) 1 192.168.50.0 255.255.255.0
Access to the interface inside group ACL_OUT
Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac VPN
86400 seconds, duration of life crypto ipsec security association
VPN 5 crypto card matches the VPN address
card crypto VPN 5 set pfs
card crypto VPN 5 set peer B_WANIP
VPN 5 value transform-set VPN crypto card
card crypto VPN 5 defined security-association life seconds 28800
card crypto VPN outside interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
tunnel-group 88.12.45.1 type ipsec-l2l
IPSec-attributes tunnel-group 88.12.45.1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.
This could be accomplished by EIGRP, but you can check if the adjacency is built.
As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).
Check if the GRE tunnel comes up with sh interface tunnel
Federico.
-
VPN clients cannot access remote sites - PIX, routing problem?
I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)
Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.
Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.
Very good and works very well.
When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.
However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.
On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.
Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?
(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)
with pix v6, no traffic is allowed to redirect to the same interface.
for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.
with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".
-
PIX: Dialin routing through a different VPN VPN
Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.
There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).
I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.
Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.
Is this possible? I would be grateful to anyone who helps with that. Thank you...
This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.
This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.
-
PIX 501 for Cisco 3640 VPN router
-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-
Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.
What Miss me? I added the configuration for the PIX and the router.
Here are the PIX config:
PIX Version 6.1 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable encrypted password xxxxxxxxxxxxxxxx
xxxxxxxxxxxxx encrypted passwd
pixfirewall hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXX
: end
Here is the router config
Router #sh runn
Building configuration...
Current configuration: 6500 bytes
!
version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
no password encryption service
!
router host name
!
start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system
queue logging limit 100
activate the password xxxxxxxxxxxxxxxxx
!
clock TimeZone Central - 6
clock summer-time recurring CENTRAL
IP subnet zero
no ip source route
!
!
no ip domain-lookup
!
no ip bootp Server
inspect the name smtp Internet IP
inspect the name Internet ftp IP
inspect the name Internet tftp IP
inspect the IP udp Internet name
inspect the tcp IP Internet name
inspect the name DMZ smtp IP
inspect the name ftp DMZ IP
inspect the name DMZ tftp IP
inspect the name DMZ udp IP
inspect the name DMZ tcp IP
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test
Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT
!
dynamic-map crypto dny - Sai 25
game of transformation-PIXRMT
match static address PIX1
!
!
static-card 10 map ipsec-isakmp crypto
the value of x.x.180.133 peer
the transform-set vpn-test value
match static address of Hunt
!
map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc
!
call the rsvp-sync
!
!
!
controller T1 0/0
framing ESF
linecode b8zs
Slots 1-12 channels-group 0 64 speed
Description controller to the remote frame relay
!
controller T1 0/1
framing ESF
linecode b8zs
Timeslots 1-24 of channel-group 0 64 speed
Description controller for internet link SBIS
!
interface Serial0/0:0
Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites
bandwidth 768
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0 / point to point 0:0.17
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 17 frame relay interface
!
interface Serial0 / point to point 0:0.18
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 18 frame relay interface
!
interface Serial0 / point to point 0:0.19
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 19 frame relay interface
!
interface Serial0 / point to point 0:0.20
Description Frame Relay to xxxxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 20 frame relay interface
!
interface Serial0 / point to point 0:0.21
Description Frame Relay to xxxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 21 frame relay interface
!
interface Serial0 / point to point 0:0.101
Description Frame Relay to xxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 101 frame relay interface
!
interface Serial0/1:0
CKT ID 14.HCGS.785383 T1 to ITT description
bandwidth 1536
IP address x.x.76.14 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the Internet IP on
no ip route cache
card crypto ISCMAP
!
interface Ethernet1/0
IP 10.1.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
interface Ethernet2/0
IP 10.100.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
router RIP
10.0.0.0 network
network 192.168.1.0
!
IP nat inside source list 112 interface Serial0/1: 0 overload
IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible
IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible
IP nat inside source 10.1.3.2 static 209.184.71.140
IP nat inside source static 10.1.3.6 209.184.71.139
IP nat inside source static 10.1.3.8 209.184.71.136
IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible
IP classless
IP route 0.0.0.0 0.0.0.0 x.x.76.13
IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19
IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18
IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17
IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20
IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21
IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101
no ip address of the http server
!
!
PIX1 static extended IP access list
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
IP access-list extended hunting-static
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
extended IP access vpn-static list
ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255
IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255
access-list 1 refuse 10.0.0.0 0.255.255.255
access-list 1 permit one
access-list 12 refuse 10.1.3.2
access-list 12 allow 10.1.0.0 0.0.255.255
access-list 12 allow 10.2.0.0 0.0.255.255
access-list 12 allow 10.3.0.0 0.0.255.255
access-list 12 allow 10.4.0.0 0.0.255.255
access-list 12 allow 10.5.0.0 0.0.255.255
access-list 12 allow 10.6.0.0 0.0.255.255
access-list 12 allow 10.7.0.0 0.0.255.255
access-list 112 deny ip host 10.1.3.2 everything
access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 112 allow ip 10.1.0.0 0.0.255.255 everything
access-list 112 allow ip 10.2.0.0 0.0.255.255 everything
access-list 112 allow ip 10.3.0.0 0.0.255.255 everything
access-list 112 allow ip 10.4.0.0 0.0.255.255 everything
access-list 112 allow ip 10.5.0.0 0.0.255.255 everything
access-list 112 allow ip 10.6.0.0 0.0.255.255 everything
access-list 112 allow ip 10.7.0.0 0.0.255.255 everything
access-list 120 allow ip host 10.100.1.10 10.1.3.7
not run cdp
!
Dial-peer cor custom
!
!
!
!
connection of the banner ^ CCC
******************************************************************
WARNING - Unauthorized USE strictly PROHIBITED!
******************************************************************
^ C
!
Line con 0
line to 0
password xxxxxxxxxxxx
local connection
Modem InOut
StopBits 1
FlowControl hardware
line vty 0 4
exec-timeout 15 0
password xxxxxxxxxxxxxx
opening of session
!
end
Router #.
Add the following to the PIX:
> permitted connection ipsec sysopt
This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.
-
Is the iI require a router with my PIX?
I have a cable connection to internet, the ISP gives me a DHCP IP. Do I need to buy a router to put in fromt of my recently purchased PIX or PIX can handle routing as well?
In addition, how the PIX runs the dynamic IPs on its external interface? I'm a little confused, thanks in advance.
-Marc
Yes.
Your external ip address on the pix can be static or dynamic
Your internal ip address on the pix must be static. The pix can act as a dhcp server on your network interla, but it looks like you already have that all together towards the top. Just exclude an ip address of the internal pool and use it for your pix. Make sure that you configure your dhcp server to pass this as the new default gateway ip address.
-
Difference b/w PIX &; router (router with the firewall option)
Hi all
I want to know that how we can differ with router (router with the firewall option) PIX bcz can also make Staefull packet filtering. What PIX device that reviewed by the customer to use PIX of the router.
Thank you best regards &,.
Guelma
Hello
There is a discussion in this forum on this topic; Check "Firewalling: PIX vs IOS Firewall" last conversation was released January 10, 2006. Let me know if it helps.
Rgrds,
Haitham
-
Routing problem of inside inside via PIX
Hello
I use a Cisco PIX 506th Version 6.3 (4).
My inner interface is 192.168.5.1/24. The interface connects to a Cisco Catalyst 4503, the interface in question lies in the VLAN 20.
On the 4053, I recently created a new VLAN (30). This VLAN holds 192.168.6.0/24. On the 4503, I created an interface VLAN, which acts as a default gateway for the network 192.168.6.0/24, IP: 192.168.6.2. The IP address of the interface VLAN on 4503 belonging to VLAN 20 is 192.168.5.2.
My hosts in VLAN 30 have 192.168.6.2 default gateway - the Cisco 4503.
My hosts in VLAN 20 have default gateway 192.168.5.1 - the Cisco PIX.
I am trying to establish connectivity between the 2 networks. When I try to install between 192.168.5.10 (a random host) and 192.168.6.10 (another random host), I see that the PIX complains of not having a route to 192.168.5.10 192.168.6.10.
(Road No. 6-PIX-110001 to 192.168.6.10 of 192.168.5.10)
I have however to add a lane on the PIX that presents itself as such:
inside 192.168.6.0 255.255.255.0 192.168.5.2 1 ANOTHER static
So I will try to explain the PIX she can find 192.168.6.0/24 through 192.168.5.2.
With regard to the NAT'ing:
Global 1 interface (outside)
NAT (inside) 0 access list acl-sheep
NAT (inside) 1 access list acl-inside 0 0
I thought for a moment it could have something to do with NAT'ing, so I added this to the ACL acl-sheep:
allowed to access list acl sheep line 4 192.168.5.0 ip 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt = 0)
allowed to access list acl sheep line 4 192.168.5.0 ip 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt = 0)
allowed to access list acl sheep line 4 192.168.6.0 ip 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt = 0)
allowed to access list acl sheep line 4 192.168.6.0 ip 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt = 0)
Because I don't want PIX of NAT traffic.
After that, he always complains about not having a route.
Does anyone have an idea what I could always try to solve this problem?
With sincere friendships.
Kevin
Unfortunately, PIX does not route or redirect traffic on the interface, he received the package. Unlike a router, the PIX cannot route packets back through the same interface where the packet was originally received.
CEC reference URL:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
Another suggestion for you, is if there are only a handful of hosts on the NET 192.168.5.0/24 needed to arrive at the NET 192.168.6.0/24 you can add a static route on them for use as the next hop 4503 to access the 192.168.6.0/24.
Let me know if this helped.
Sundar-
-
My scenario is My PIX to 5 five interface. Interface E0 connect "Main router" Interface E1 connect "Partner router" Interface E3 connect 'Server Zone' Interface E4 connect 'Client area '.
My problem is 'Partner of router' care network 172.16.1.0/24 and they have used 10.0.1.0/24 service behind "Main router" and I configure default route of 'Router Partner' for PIX as same as "main router.
I have config road for PIX
"" main route 10.0.1.0 255.255.255.0 main router ""
"partner of route 172.16.1.0 255.255.255.0 router partner."
I can do? PIX can route?
What you have listed above should be fine. The PIX you can route packets. However, the usual rules still apply to allow packets pass between 2 interfaces on the PIX. You should always create the xlates and access control so that the packets to pass. I hope this helps.
Scott
-
Router vpn site to site PIX and vpn client
I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.
ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVEIPv6 Crypto ISAKMP Security Association
local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.
is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.
If it's just ping, then activate pls what follows on the PIX:
If it is version 6.3 and below: fixup protocol icmp
If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.
Config complete hand and on the other could help determine if it's a configuration problem or another problem.
-
PowerConnect 6248 routing problem
Hi all
I have a very frustrating problem with routing using a PowerConnect 6248 switch.
Network configuration is the following:
VLAN3
172.16.0.254/24
VLAN4
192.168.0.254/24
PC on each VLAN using the switch VLAN interface IP (x.x.x.254) as the gateways.
Switch has configured default route to 192.168.0.248 which is a router with excess of 100 subnets frame relay cloud. 192.168.0.248 has routes suitable for all remote subnets via a serial interface, a static route to VLAN 3 (172.16.0.0/24) traffic through 192.168.0.254 and one way by default via a PIX 515 (192.168.0.253). Router and PIX is connected to access VIRTUAL 4 LAN ports. The PIX has a route to VLAN 3 traffic through 192.168.0.254.
The problem is that VIRTUAL 3 all hosts on the local network cannot access the Internet. They can ping the gateways in the order - 172.16.0.254, 192.168.0.248 and 192.168.0.253. I have disabled IP forwarding on the router and the switch with no effect.
I built this configuration in Cisco Packet Tracer 5.0 (it works) and we are running exactly the same IP configuration with a Nortel switch instead of the Dell 6248 (this also works).
Absoloutely perplexed to find out what I'm missing! I also noticed that if I perform a traceback while in the CLI on the router using a source IP address of the interface VLAN that it blocks the interface on the switch.
I would be very grateful to anyone who can punch me in the right direction.
I've included the config switch below.
Configure
database of VLAN
VLAN 2-4
subnet of VLAN association 172.16.0.0 255.255.255.0 3
subnet of VLAN association 192.168.11.0 255.255.255.0 2
subnet of VLAN association 192.168.0.0 255.255.255.0 4
output
battery
1 2 Member
output
IP 10.10.10.1 255.255.255.0
no console logging
no ip redirection
IP routing
IP route 0.0.0.0 0.0.0.0 192.168.0.248
bootpdhcprelay enable
bootpdhcprelay IP_serveur 192.168.0.3
router RIP
no activation
output
interface vlan 2
name of the "voice."
Routing
IP 192.168.11.254 255.255.255.0
output
interface vlan 3
name "workstations".
Routing
IP 172.16.0.254 255.255.255.0
output
interface vlan 4
"Name servers".
Routing
IP 192.168.0.254 255.255.255.0
output
level of 3c9fd59f1a240ff455a9d9e8eebae936 user name 'admin' password encrypted 15
router ospf
no activation
output
!
interface ethernet 1/g1
switchport mode trunk
switchport trunk allowed vlan add 2-4
switchport trunk allowed vlan remove 1
output
!
interface ethernet 1/g2
switchport mode trunk
switchport trunk allowed vlan add 2-4
switchport trunk allowed vlan remove 1
output
!
interface ethernet 1/g3
switchport access vlan 2
output
!
interface ethernet 1/g4
switchport access vlan 2
output
!
interface ethernet 1/g5
switchport access vlan 2
output
!
interface ethernet 1/g6
switchport access vlan 4
output
!
interface ethernet 1/g7
switchport mode trunk
switchport trunk allowed vlan add 2-4
switchport trunk allowed vlan remove 1
output
!
interface ethernet 1/g8
switchport access vlan 3
output
!
interface ethernet 1/g9
switchport access vlan 4
output
!
interface ethernet 1/g10
switchport access vlan 3
output
!
interface ethernet 1/g11
switchport access vlan 3
output
!
interface ethernet 1/g12
switchport access vlan 3
output
!
interface ethernet 1/g13
switchport access vlan 3
output
!
interface ethernet 1/g14
switchport access vlan 3
output
!
interface ethernet 1/g15
switchport access vlan 3
output
!
interface ethernet 1/g16
switchport access vlan 3
output
!
interface ethernet 1/g17
switchport access vlan 3
output
!
interface ethernet 1/g18
switchport access vlan 3
output
!
interface ethernet 1/g19
switchport access vlan 3
output
!
interface ethernet 1/g20
switchport access vlan 3
output
!
interface ethernet 1/g21
switchport access vlan 3
output
!
interface ethernet 1/g22
switchport access vlan 3
output
!
interface ethernet 1/g23
switchport mode trunk
switchport trunk allowed vlan add 2-4
switchport trunk allowed vlan remove 1
output
!
interface ethernet 1/g24
switchport access vlan 3
output
!
interface ethernet 1/g25
switchport access vlan 4
output
!
interface ethernet 1/g26
switchport access vlan 4
output
!
interface ethernet 1/g27
switchport access vlan 4
output
!
interface ethernet 1/g28
switchport access vlan 4
output
!
interface ethernet 1/g29
switchport access vlan 4
output
!
interface ethernet 1/g30
switchport access vlan 4
output
!
interface ethernet 1/g31
switchport access vlan 4
output
!
interface ethernet 1/g32
switchport access vlan 4
output
!
interface ethernet 1/g33
switchport access vlan 4
output
!
interface ethernet 1/g34
switchport access vlan 4
output
!
interface ethernet 1/g35
switchport access vlan 4
output
!
interface ethernet 1/g36
switchport access vlan 4
output
!
interface ethernet 1/g37
switchport access vlan 4
output
!
interface ethernet 1/g38
switchport access vlan 4
output
!
interface ethernet 1/g39
switchport access vlan 4
output
!
interface ethernet 1/g40
switchport access vlan 4
output
!
interface ethernet 1/g41
switchport access vlan 4
output
!
interface ethernet 1/g42
switchport access vlan 4
output
!
interface ethernet 1/g43
switchport access vlan 4
output
!
interface ethernet 1/g44
switchport access vlan 4
output
!
interface ethernet 1/g45
switchport access vlan 4
output
!
interface ethernet 1/g46
switchport access vlan 4
output
output
-
Cisco SA540 - classic routing problem - 0.0.0.0 in static road
Hello, I am a bit newbie with routing device,
I had several public IP address
I got a Cisco Pix 501and want to replace it with a Cisco SA540
My Wan IP on Pix 501 is 195.68.x.z
My Lan IP on Pix 501 is 62.23.a.b (and 62.23.a.c,...)My rules Pix 501 translation is: inside the interface. inside: everything: 0.0.0.0. Apart from the interface. same as orginal
My Pix 501 static route: outside | IP address 0.0.0.0. Mask 0.0.0.0. Gateway IP 195.168.x.y | Metric 1So when a computer with 62.23.a.X want access to the internet the static route he say to throuw the 195.168.x.y of the IP Address of the gateway (as I undestand)
I replicate this config on my SA540
Also, through the Web user interface, I configure the Wan and Lan IP
and then in the routing menu, I check "Classic routing" so I go to the static Menu to add the same route as in my Pix 501, but I can't put 0.0.0.0 in iP address or IP subnet mask.Can someone help me?
Thank you very much.
Hello
I hope this finds you doing well. Just thought I would add a few things here...
You have probably seen this, but... Here is the link to the page SA500:
https://www.myciscocommunity.com/docs/doc-10526
Yes, when you configure the device as a router, you need to configure routing. Try to remove the routes and the readd.
In addition, a little off topic, but if you want to stay with an ASA5505, there used to be a tool that would turn your PIX configus ASA. I don't remember where this link is now... but it used to fairly simple transition.
After you have configured the routing, since your internal machine, have you tried a trace route? On what device the traceroute fails?
In case you wish to speak to a support representative, here is the link to find the correct number:
http://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html
HTH,
Andrew Lee Lissitz
-
Hello
I have set up a LAB and try to apply a tag set and match tag for the prevention of the loop.
I used R1, R2, R3 BGP and OSPF R3 - R5 now I want to put the tag on the side of R2 to OSPF so that I can match and denied him on the side of R3, R2 - R4!
I have attached my lab with this post.
I'm sticking R2 and R3 config here:
R2:
router ospf 1
Log-adjacency-changes
redistribute bgp 200 subnets
network 192.168.1.0 0.0.0.255 area 1
!
router bgp 200
no synchronization
The log-neighbor BGP-changes
network 200.200.200.0
redistribute ospf 1 match external internal 1 external TAG route-map 2
neighbour 200.200.200.1 distance-100
No Auto-resume
!
no ip address of the http server
no ip http secure server
!
!
!
!
route TAG allowed 10 map
the tag 50 value
!
!
!
R3:::::::::
router ospf 1
Log-adjacency-changes
redistribute bgp 300 subnets tag route-map
network 192.168.2.0 0.0.0.255 area 1
Distribute-list route map TAG in
!
router bgp 300
no synchronization
The log-neighbor BGP-changes
network 200.200.201.0
redistribute ospf 1 match external internal 1 external 2
neighbour 200.200.201.1 distance-100
No Auto-resume
!
no ip address of the http server
no ip http secure server
!
!
!
!
route TAG map deny 10
game tag 50
!
allowed TAG 20 route map
!
My problem is why R2 of OSPF not slaughter to R3 where I used the tag match?
Thank you
Anand,
The technique of the distribution list can be very difficult to maintain in a network of real life that the list should be changed every time a new prefix is added somewhere in the network. The technique of the Roadmap (tag match / per set) is really easy to maintain.
Concerning
Maybe you are looking for
-
Some things I've never really found
There is something to the camera that I have nevery found good information on. The manual is only telling where you can spend what, but not what it means the real thing. As for the "TAP" (that Alister already explained), you get to know how and where
-
Make sure you have directx9 and video drivers installed BVRP software
-
are halo demo cut down forever?
are halo demo cut down forever?
-
LifeCam VX-800 works only on Windows XP
So I just bought the camera and when I plug it in, it lights up but when I use it in Skype or take a photo, it is not detected and it will not show the unit. Is there any software I need to download? Not just you are asked to connect? I checked http:
-
guys do you miss not having does not have access to cell phones? you are perfectly ok with WiFi only? have you been in situations in which you want to that you had access to cell phone? I would be acknowledging all responses from users only wifi... I