PIX & tagged RIPv2 routes

Similar Questions

• RIPv2 / routing domain

  Hello

  I found there is a field in the header of RIPv2 which is: routing domain.

  It seems to be like a process id (as vlan id) so that routers have not the same routing domain will not process packets of RIPv2.

  1. am I right?

  2. how to change the value of this field?

  Thank you

  Hello

  I think that I now know more about the "routing domain".

  First of all, RIPv2 has been codified in 1388 RFC. Indeed, this RFC defined a field routing domain inside the RIP message header. The routing domain has been defined as follows (RFC 1388 Section 3.2):

     The Routing Domain (RD) number is the number of the routing process    to which this update belongs.  This field is used to associate the    routing update to a specific routing process on the receiving router.    The RD is needed to allow multiple, independent RIP "clouds" to co-    exist on the same physical wire.  This gives administrators the    ability to run multiple, possibly parallel, instances of RIP in order    to implement simple policy.  This means that a router operating    within one routing domain, or a set of routing domains, should ignore    RIP packets which belong to another routing domain.  RD 0 is the    default routing domain. 

  However, in the RFC 1721 "RIP Version 2 Protocol Analysis", article 2 stipulates:

     The significant change from RFC 1388 is the removal of the domain    field.  There was no clear agreement as to how the field would be    used, so it was determined to leave the field reserved for future    expansion.

  Accordingly, the RFC RIPv2 updates, namely the current 2453 RFC and RFC 1723 removed the routing domain label and instead treat the must-be-zero field, or else not obliterated. Your Wireshark obviously believes that the RFC 1388 RIPv2 is running and try to interpret a field not used in the header of RIPv2.

  I discovered later that this behavior in Wireshark can be configured: choose Edit-> preferences, and then click protocols, find the RIP, and there you will see a box saying 'field display routing domain '. Uncheck the box.

  Best regards

  Peter

• PIX and ADSL router.

  I have, in a site, a PIX 515 connected to a C827H (an ADSL router as PPPoE). This router provides access to the Net. In another site, I have another PIX (a 506) and another router C827H which gave access to the Net. Both sites have access to the net without problems. But when I have what it takes to establish a VPN (Ipsec) tunnel between the two sites, across the Net, I can t make the connection. The ADSL router has their public IP is negotiated with the provider. In my lab, I simulate this two connections put two PIX (a 520 and a 506) back to back with a crossover cable. I used the same configuration. The thing worked. But in my two sites that does not work. Why?

  I see, in this case. I suggest that change you the name of the ACL defined in crypto card, try not to use the same ACL you used for nat0, it poses problems sometimes.

  Try and see if it works for you.

  -Jimmy

• Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ

  Hi all

  I tried to get this scenario to work before I put implement but am getting the error on router B.

  

  01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1

  Here are the following details for networks

  Router B

  Address series 82.12.45.1/30

  fast ethernet 192.168.20.1/24 address

  PIX

  outside the 83.1.16.1/30 interface eth0

  inside 192.168.50.1/30 eth1 interface

  Router

  Fast ethernet (with Pix) 192.168.50.2/30 address

  Loopback (A network) 192.168.100.1/24 address

  Loopback (Network B) 192.168.200.1/24 address

  Loopback (Network C) 192.168.300.1/24 address

  Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.

  Config router B

  ======================

  name of host B
  !
  Select the 5 secret goat.
  !
  username 7 privilege 15 password badger badger
  iomem 15 memory size
  IP subnet zero
  !
  !
  no ip domain-lookup
  IP - test.local domain name
  !
  property intellectual ssh delay 30
  property intellectual ssh authentication-2 retries
  !
  crypto ISAKMP policy 5
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key VPN2VPN address 83.1.16.1
  !
  86400 seconds, duration of life crypto ipsec security association
  !
  Crypto ipsec transform-set esp - esp-md5-hmac VPN
  !
  crypto map 5 VPN ipsec-isakmp
  defined by peer 83.1.16.1
  PFS group2 Set
  match address VPN
  !
  call the rsvp-sync
  !
  interface Loopback10
  20.0.2.2 the IP 255.255.255.255
  !
  interface Tunnel0
  bandwidth 1544000
  20.0.0.1 IP address 255.255.255.0
  source of Loopback10 tunnel
  tunnel destination 20.0.2.1
  !
  interface FastEthernet0/0
  Description * inside the LAN CONNECTION *.
  address 192.168.20.1 255.255.255.0
  IP nat inside
  automatic duplex
  automatic speed
  !
  interface Serial0/0
  Description * INTERNET ACCESS *.
  IP 88.12.45.1 255.255.255.252
  NAT outside IP
  VPN crypto card
  !
  interface FastEthernet0/1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  Router eigrp 1
  network 20.0.0.0
  No Auto-resume
  !
  overload of IP nat inside source list NAT interface Serial0/0
  IP classless
  IP route 0.0.0.0 0.0.0.0 Serial0/0
  no ip address of the http server
  !
  !
  NAT extended IP access list
  deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
  deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
  deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
  ip licensing 192.168.20.0 0.0.0.255 any
  list of IP - VPN access scope
  permit ip host 20.0.2.2 20.0.2.1
  !

  Config PIX

  ====================

  PIX Version 7.2 (4)
  !
  pixfirewall hostname
  names of
  name 20.0.2.2 B_LOOP
  name 88.12.45.1 B_WANIP
  !
  interface Ethernet0
  Description * LINK to ISP *.
  nameif outside
  security-level 0
  IP 83.1.16.1 255.255.255.252
  !
  interface Ethernet1
  Description * LINK TO LAN *.
  nameif inside
  security-level 100
  IP 192.168.50.1 255.255.255.252
  !
  passive FTP mode
  the ROUTER_LOOPS object-group network
  network-object 20.0.2.0 255.255.255.252
  access allowed extended VPN ip host 20.0.2.1 B_LOOP list
  access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
  Access ip allowed any one extended list ACL_OUT
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global (1 interface external)
  NAT (inside) 0 access-list SHEEP
  NAT (inside) 1 192.168.50.0 255.255.255.252
  NAT (inside) 1 192.168.50.0 255.255.255.0
  Access to the interface inside group ACL_OUT
  Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp - esp-md5-hmac VPN
  86400 seconds, duration of life crypto ipsec security association
  VPN 5 crypto card matches the VPN address
  card crypto VPN 5 set pfs
  card crypto VPN 5 set peer B_WANIP
  VPN 5 value transform-set VPN crypto card
  card crypto VPN 5 defined security-association life seconds 28800
  card crypto VPN outside interface
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 5
  preshared authentication
  the Encryption
  md5 hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  tunnel-group 88.12.45.1 type ipsec-l2l
  IPSec-attributes tunnel-group 88.12.45.1
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !

  When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.

  This could be accomplished by EIGRP, but you can check if the adjacency is built.

  As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).

  Check if the GRE tunnel comes up with sh interface tunnel

  Federico.

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• PIX: Dialin routing through a different VPN VPN

  Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.

  There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).

  I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.

  Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.

  Is this possible? I would be grateful to anyone who helps with that. Thank you...

  This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.

  This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.

• PIX 501 for Cisco 3640 VPN router

  -Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-

  Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.

  What Miss me? I added the configuration for the PIX and the router.

  Here are the PIX config:

  PIX Version 6.1 (1)

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable encrypted password xxxxxxxxxxxxxxxx

  xxxxxxxxxxxxx encrypted passwd

  pixfirewall hostname

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 1720

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  No sysopt route dnat

  Telnet timeout 5

  SSH timeout 5

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:XXXXXXXXXXXXXXXXXXX

  : end

  Here is the router config

  Router #sh runn

  Building configuration...

  Current configuration: 6500 bytes

  !

  version 12.2

  no service button

  tcp KeepAlive-component snap-in service

  a tcp-KeepAlive-quick service

  horodateurs service debug datetime localtime

  Log service timestamps datetime localtime

  no password encryption service

  !

  router host name

  !

  start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system

  queue logging limit 100

  activate the password xxxxxxxxxxxxxxxxx

  !

  clock TimeZone Central - 6

  clock summer-time recurring CENTRAL

  IP subnet zero

  no ip source route

  !

  !

  no ip domain-lookup

  !

  no ip bootp Server

  inspect the name smtp Internet IP

  inspect the name Internet ftp IP

  inspect the name Internet tftp IP

  inspect the IP udp Internet name

  inspect the tcp IP Internet name

  inspect the name DMZ smtp IP

  inspect the name ftp DMZ IP

  inspect the name DMZ tftp IP

  inspect the name DMZ udp IP

  inspect the name DMZ tcp IP

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 20

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx

  ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test

  Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT

  !

  dynamic-map crypto dny - Sai 25

  game of transformation-PIXRMT

  match static address PIX1

  !

  !

  static-card 10 map ipsec-isakmp crypto

  the value of x.x.180.133 peer

  the transform-set vpn-test value

  match static address of Hunt

  !

  map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc

  !

  call the rsvp-sync

  !

  !

  !

  controller T1 0/0

  framing ESF

  linecode b8zs

  Slots 1-12 channels-group 0 64 speed

  Description controller to the remote frame relay

  !

  controller T1 0/1

  framing ESF

  linecode b8zs

  Timeslots 1-24 of channel-group 0 64 speed

  Description controller for internet link SBIS

  !

  interface Serial0/0:0

  Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites

  bandwidth 768

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  encapsulation frame-relay

  frame-relay lmi-type ansi

  !

  interface Serial0 / point to point 0:0.17

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 17 frame relay interface

  !

  interface Serial0 / point to point 0:0.18

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 18 frame relay interface

  !

  interface Serial0 / point to point 0:0.19

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 19 frame relay interface

  !

  interface Serial0 / point to point 0:0.20

  Description Frame Relay to xxxxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 20 frame relay interface

  !

  interface Serial0 / point to point 0:0.21

  Description Frame Relay to xxxxxxxxxxxx

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 21 frame relay interface

  !

  interface Serial0 / point to point 0:0.101

  Description Frame Relay to xxxxxxxxxxx

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 101 frame relay interface

  !

  interface Serial0/1:0

  CKT ID 14.HCGS.785383 T1 to ITT description

  bandwidth 1536

  IP address x.x.76.14 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the Internet IP on

  no ip route cache

  card crypto ISCMAP

  !

  interface Ethernet1/0

  IP 10.1.1.1 255.255.0.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  no ip route cache

  no ip mroute-cache

  Half duplex

  !

  interface Ethernet2/0

  IP 10.100.1.1 255.255.0.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  no ip route cache

  no ip mroute-cache

  Half duplex

  !

  router RIP

  10.0.0.0 network

  network 192.168.1.0

  !

  IP nat inside source list 112 interface Serial0/1: 0 overload

  IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible

  IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible

  IP nat inside source 10.1.3.2 static 209.184.71.140

  IP nat inside source static 10.1.3.6 209.184.71.139

  IP nat inside source static 10.1.3.8 209.184.71.136

  IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible

  IP classless

  IP route 0.0.0.0 0.0.0.0 x.x.76.13

  IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19

  IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18

  IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17

  IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20

  IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21

  IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101

  no ip address of the http server

  !

  !

  PIX1 static extended IP access list

  IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

  IP access-list extended hunting-static

  IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

  extended IP access vpn-static list

  ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

  IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255

  access-list 1 refuse 10.0.0.0 0.255.255.255

  access-list 1 permit one

  access-list 12 refuse 10.1.3.2

  access-list 12 allow 10.1.0.0 0.0.255.255

  access-list 12 allow 10.2.0.0 0.0.255.255

  access-list 12 allow 10.3.0.0 0.0.255.255

  access-list 12 allow 10.4.0.0 0.0.255.255

  access-list 12 allow 10.5.0.0 0.0.255.255

  access-list 12 allow 10.6.0.0 0.0.255.255

  access-list 12 allow 10.7.0.0 0.0.255.255

  access-list 112 deny ip host 10.1.3.2 everything

  access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

  access-list 112 allow ip 10.1.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.2.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.3.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.4.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.5.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.6.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.7.0.0 0.0.255.255 everything

  access-list 120 allow ip host 10.100.1.10 10.1.3.7

  not run cdp

  !

  Dial-peer cor custom

  !

  !

  !

  !

  connection of the banner ^ CCC

  ******************************************************************

  WARNING - Unauthorized USE strictly PROHIBITED!

  ******************************************************************

  ^ C

  !

  Line con 0

  line to 0

  password xxxxxxxxxxxx

  local connection

  Modem InOut

  StopBits 1

  FlowControl hardware

  line vty 0 4

  exec-timeout 15 0

  password xxxxxxxxxxxxxx

  opening of session

  !

  end

  Router #.

  Add the following to the PIX:

  > permitted connection ipsec sysopt

  This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.

• Is the iI require a router with my PIX?

  I have a cable connection to internet, the ISP gives me a DHCP IP. Do I need to buy a router to put in fromt of my recently purchased PIX or PIX can handle routing as well?

  In addition, how the PIX runs the dynamic IPs on its external interface? I'm a little confused, thanks in advance.

  -Marc

  Yes.

  Your external ip address on the pix can be static or dynamic

  Your internal ip address on the pix must be static. The pix can act as a dhcp server on your network interla, but it looks like you already have that all together towards the top. Just exclude an ip address of the internal pool and use it for your pix. Make sure that you configure your dhcp server to pass this as the new default gateway ip address.

• Difference b/w PIX & router (router with the firewall option)

  Hi all

  I want to know that how we can differ with router (router with the firewall option) PIX bcz can also make Staefull packet filtering. What PIX device that reviewed by the customer to use PIX of the router.

  Thank you best regards &,.

  Guelma

  Hello

  There is a discussion in this forum on this topic; Check "Firewalling: PIX vs IOS Firewall" last conversation was released January 10, 2006. Let me know if it helps.

  Rgrds,

  Haitham

• Routing problem of inside inside via PIX

  Hello

  I use a Cisco PIX 506th Version 6.3 (4).

  My inner interface is 192.168.5.1/24. The interface connects to a Cisco Catalyst 4503, the interface in question lies in the VLAN 20.

  On the 4053, I recently created a new VLAN (30). This VLAN holds 192.168.6.0/24. On the 4503, I created an interface VLAN, which acts as a default gateway for the network 192.168.6.0/24, IP: 192.168.6.2. The IP address of the interface VLAN on 4503 belonging to VLAN 20 is 192.168.5.2.

  My hosts in VLAN 30 have 192.168.6.2 default gateway - the Cisco 4503.

  My hosts in VLAN 20 have default gateway 192.168.5.1 - the Cisco PIX.

  I am trying to establish connectivity between the 2 networks. When I try to install between 192.168.5.10 (a random host) and 192.168.6.10 (another random host), I see that the PIX complains of not having a route to 192.168.5.10 192.168.6.10.

  (Road No. 6-PIX-110001 to 192.168.6.10 of 192.168.5.10)

  I have however to add a lane on the PIX that presents itself as such:

  inside 192.168.6.0 255.255.255.0 192.168.5.2 1 ANOTHER static

  So I will try to explain the PIX she can find 192.168.6.0/24 through 192.168.5.2.

  With regard to the NAT'ing:

  Global 1 interface (outside)

  NAT (inside) 0 access list acl-sheep

  NAT (inside) 1 access list acl-inside 0 0

  I thought for a moment it could have something to do with NAT'ing, so I added this to the ACL acl-sheep:

  allowed to access list acl sheep line 4 192.168.5.0 ip 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt = 0)

  allowed to access list acl sheep line 4 192.168.5.0 ip 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt = 0)

  allowed to access list acl sheep line 4 192.168.6.0 ip 255.255.255.0 192.168.5.0 255.255.255.0 (hitcnt = 0)

  allowed to access list acl sheep line 4 192.168.6.0 ip 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt = 0)

  Because I don't want PIX of NAT traffic.

  After that, he always complains about not having a route.

  Does anyone have an idea what I could always try to solve this problem?

  With sincere friendships.

  Kevin

  Unfortunately, PIX does not route or redirect traffic on the interface, he received the package. Unlike a router, the PIX cannot route packets back through the same interface where the packet was originally received.

  CEC reference URL:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

  Another suggestion for you, is if there are only a handful of hosts on the NET 192.168.5.0/24 needed to arrive at the NET 192.168.6.0/24 you can add a static route on them for use as the next hop 4503 to access the 192.168.6.0/24.

  Let me know if this helped.

  Sundar-

• PIX of routing and two router

  My scenario is My PIX to 5 five interface. Interface E0 connect "Main router" Interface E1 connect "Partner router" Interface E3 connect 'Server Zone' Interface E4 connect 'Client area '.

  My problem is 'Partner of router' care network 172.16.1.0/24 and they have used 10.0.1.0/24 service behind "Main router" and I configure default route of 'Router Partner' for PIX as same as "main router.

  I have config road for PIX

  "" main route 10.0.1.0 255.255.255.0 main router ""

  "partner of route 172.16.1.0 255.255.255.0 router partner."

  I can do? PIX can route?

  What you have listed above should be fine. The PIX you can route packets. However, the usual rules still apply to allow packets pass between 2 interfaces on the PIX. You should always create the xlates and access control so that the packets to pass. I hope this helps.

  Scott

• Router vpn site to site PIX and vpn client

  I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

  ISAKMP crypto RTR #show its
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
  current_peer 66.x.x.x port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
  #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 40, #recv errors 0

  local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
  Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
  current outbound SPI: 0xC4BAC5E (206285918)

  SAS of the esp on arrival:
  SPI: 0xD7848FB (225986811)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4573083/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xC4BAC5E (206285918)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4572001/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Expand the IP NAT access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
  20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
  Expand the IP VPN_ACCESS access list
  10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

  I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

  is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

  If it's just ping, then activate pls what follows on the PIX:

  If it is version 6.3 and below: fixup protocol icmp

  If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

  Config complete hand and on the other could help determine if it's a configuration problem or another problem.

• PowerConnect 6248 routing problem

  Hi all

  I have a very frustrating problem with routing using a PowerConnect 6248 switch.

  Network configuration is the following:

  VLAN3

  172.16.0.254/24

  VLAN4

  192.168.0.254/24

  PC on each VLAN using the switch VLAN interface IP (x.x.x.254) as the gateways.

  Switch has configured default route to 192.168.0.248 which is a router with excess of 100 subnets frame relay cloud. 192.168.0.248 has routes suitable for all remote subnets via a serial interface, a static route to VLAN 3 (172.16.0.0/24) traffic through 192.168.0.254 and one way by default via a PIX 515 (192.168.0.253). Router and PIX is connected to access VIRTUAL 4 LAN ports. The PIX has a route to VLAN 3 traffic through 192.168.0.254.

  The problem is that VIRTUAL 3 all hosts on the local network cannot access the Internet. They can ping the gateways in the order - 172.16.0.254, 192.168.0.248 and 192.168.0.253. I have disabled IP forwarding on the router and the switch with no effect.

  I built this configuration in Cisco Packet Tracer 5.0 (it works) and we are running exactly the same IP configuration with a Nortel switch instead of the Dell 6248 (this also works).

  Absoloutely perplexed to find out what I'm missing! I also noticed that if I perform a traceback while in the CLI on the router using a source IP address of the interface VLAN that it blocks the interface on the switch.

  I would be very grateful to anyone who can punch me in the right direction.

  I've included the config switch below.

  Configure
  database of VLAN
  VLAN 2-4
  subnet of VLAN association 172.16.0.0 255.255.255.0 3
  subnet of VLAN association 192.168.11.0 255.255.255.0 2
  subnet of VLAN association 192.168.0.0 255.255.255.0 4
  output
  battery
  1 2 Member
  output
  IP 10.10.10.1 255.255.255.0
  no console logging
  no ip redirection
  IP routing
  IP route 0.0.0.0 0.0.0.0 192.168.0.248
  bootpdhcprelay enable
  bootpdhcprelay IP_serveur 192.168.0.3
  router RIP
  no activation
  output
  interface vlan 2
  name of the "voice."
  Routing
  IP 192.168.11.254 255.255.255.0
  output
  interface vlan 3
  name "workstations".
  Routing
  IP 172.16.0.254 255.255.255.0
  output
  interface vlan 4
  "Name servers".
  Routing
  IP 192.168.0.254 255.255.255.0
  output
  level of 3c9fd59f1a240ff455a9d9e8eebae936 user name 'admin' password encrypted 15
  router ospf
  no activation
  output
  !
  interface ethernet 1/g1
  switchport mode trunk
  switchport trunk allowed vlan add 2-4
  switchport trunk allowed vlan remove 1
  output
  !
  interface ethernet 1/g2
  switchport mode trunk
  switchport trunk allowed vlan add 2-4
  switchport trunk allowed vlan remove 1
  output
  !
  interface ethernet 1/g3
  switchport access vlan 2
  output
  !
  interface ethernet 1/g4
  switchport access vlan 2
  output
  !
  interface ethernet 1/g5
  switchport access vlan 2
  output
  !
  interface ethernet 1/g6
  switchport access vlan 4
  output
  !
  interface ethernet 1/g7
  switchport mode trunk
  switchport trunk allowed vlan add 2-4
  switchport trunk allowed vlan remove 1
  output
  !
  interface ethernet 1/g8
  switchport access vlan 3
  output
  !
  interface ethernet 1/g9
  switchport access vlan 4
  output
  !
  interface ethernet 1/g10
  switchport access vlan 3
  output
  !
  interface ethernet 1/g11
  switchport access vlan 3
  output
  !
  interface ethernet 1/g12
  switchport access vlan 3
  output
  !
  interface ethernet 1/g13
  switchport access vlan 3
  output
  !
  interface ethernet 1/g14
  switchport access vlan 3
  output
  !
  interface ethernet 1/g15
  switchport access vlan 3
  output
  !
  interface ethernet 1/g16
  switchport access vlan 3
  output
  !
  interface ethernet 1/g17
  switchport access vlan 3
  output
  !
  interface ethernet 1/g18
  switchport access vlan 3
  output
  !
  interface ethernet 1/g19
  switchport access vlan 3
  output
  !
  interface ethernet 1/g20
  switchport access vlan 3
  output
  !
  interface ethernet 1/g21
  switchport access vlan 3
  output
  !
  interface ethernet 1/g22
  switchport access vlan 3
  output
  !
  interface ethernet 1/g23
  switchport mode trunk
  switchport trunk allowed vlan add 2-4
  switchport trunk allowed vlan remove 1
  output
  !
  interface ethernet 1/g24
  switchport access vlan 3
  output
  !
  interface ethernet 1/g25
  switchport access vlan 4
  output
  !
  interface ethernet 1/g26
  switchport access vlan 4
  output
  !
  interface ethernet 1/g27
  switchport access vlan 4
  output
  !
  interface ethernet 1/g28
  switchport access vlan 4
  output
  !
  interface ethernet 1/g29
  switchport access vlan 4
  output
  !
  interface ethernet 1/g30
  switchport access vlan 4
  output
  !
  interface ethernet 1/g31
  switchport access vlan 4
  output
  !
  interface ethernet 1/g32
  switchport access vlan 4
  output
  !
  interface ethernet 1/g33
  switchport access vlan 4
  output
  !
  interface ethernet 1/g34
  switchport access vlan 4
  output
  !
  interface ethernet 1/g35
  switchport access vlan 4
  output
  !
  interface ethernet 1/g36
  switchport access vlan 4
  output
  !
  interface ethernet 1/g37
  switchport access vlan 4
  output
  !
  interface ethernet 1/g38
  switchport access vlan 4
  output
  !
  interface ethernet 1/g39
  switchport access vlan 4
  output
  !
  interface ethernet 1/g40
  switchport access vlan 4
  output
  !
  interface ethernet 1/g41
  switchport access vlan 4
  output
  !
  interface ethernet 1/g42
  switchport access vlan 4
  output
  !
  interface ethernet 1/g43
  switchport access vlan 4
  output
  !
  interface ethernet 1/g44
  switchport access vlan 4
  output
  !
  interface ethernet 1/g45
  switchport access vlan 4
  output
  !
  interface ethernet 1/g46
  switchport access vlan 4
  output
  output

  
  

• Cisco SA540 - classic routing problem - 0.0.0.0 in static road

  Hello, I am a bit newbie with routing device,

  I had several public IP address

  I got a Cisco Pix 501and want to replace it with a Cisco SA540

  My Wan IP on Pix 501 is 195.68.x.z
  My Lan IP on Pix 501 is 62.23.a.b (and 62.23.a.c,...)

  My rules Pix 501 translation is: inside the interface. inside: everything: 0.0.0.0. Apart from the interface. same as orginal
  My Pix 501 static route: outside | IP address 0.0.0.0. Mask 0.0.0.0. Gateway IP 195.168.x.y | Metric 1

  So when a computer with 62.23.a.X want access to the internet the static route he say to throuw the 195.168.x.y of the IP Address of the gateway (as I undestand)

  I replicate this config on my SA540

  Also, through the Web user interface, I configure the Wan and Lan IP
  and then in the routing menu, I check "Classic routing" so I go to the static Menu to add the same route as in my Pix 501, but I can't put 0.0.0.0 in iP address or IP subnet mask.

  Can someone help me?

  Thank you very much.

  Hello

  I hope this finds you doing well.  Just thought I would add a few things here...

  You have probably seen this, but... Here is the link to the page SA500:

  https://www.myciscocommunity.com/docs/doc-10526

  Yes, when you configure the device as a router, you need to configure routing.  Try to remove the routes and the readd.

  In addition, a little off topic, but if you want to stay with an ASA5505, there used to be a tool that would turn your PIX configus ASA.  I don't remember where this link is now... but it used to fairly simple transition.

  After you have configured the routing, since your internal machine, have you tried a trace route?  On what device the traceroute fails?

  In case you wish to speak to a support representative, here is the link to find the correct number:

  http://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html

  HTH,

  Andrew Lee Lissitz

• TAG in OSPF-BGP problem

  Hello

  I have set up a LAB and try to apply a tag set and match tag for the prevention of the loop.

  I used R1, R2, R3 BGP and OSPF R3 - R5 now I want to put the tag on the side of R2 to OSPF so that I can match and denied him on the side of R3, R2 - R4!

  I have attached my lab with this post.

  I'm sticking R2 and R3 config here:

  R2:

  router ospf 1

  Log-adjacency-changes

  redistribute bgp 200 subnets

  network 192.168.1.0 0.0.0.255 area 1

  !

  router bgp 200

  no synchronization

  The log-neighbor BGP-changes

  network 200.200.200.0

  redistribute ospf 1 match external internal 1 external TAG route-map 2

  neighbour 200.200.200.1 distance-100

  No Auto-resume

  !

  no ip address of the http server

  no ip http secure server

  !

  !

  !

  !

  route TAG allowed 10 map

  the tag 50 value

  !

  !

  !

  R3:::::::::

  router ospf 1

  Log-adjacency-changes

  redistribute bgp 300 subnets tag route-map

  network 192.168.2.0 0.0.0.255 area 1

  Distribute-list route map TAG in

  !

  router bgp 300

  no synchronization

  The log-neighbor BGP-changes

  network 200.200.201.0

  redistribute ospf 1 match external internal 1 external 2

  neighbour 200.200.201.1 distance-100

  No Auto-resume

  !

  no ip address of the http server

  no ip http secure server

  !

  !

  !

  !

  route TAG map deny 10

  game tag 50

  !

  allowed TAG 20 route map

  !

  My problem is why R2 of OSPF not slaughter to R3 where I used the tag match?

  Thank you

  Anand,

  The technique of the distribution list can be very difficult to maintain in a network of real life that the list should be changed every time a new prefix is added somewhere in the network. The technique of the Roadmap (tag match / per set) is really easy to maintain.

  Concerning