Odd routing issue with NAT

[zymurgy01]

I'm trying to figure this out. I have two cisco pix devices. One is inbound traffic for clients. The other is outbound traffic for local users. The traffic flows through 6509 to another router which is a 2800.

I can watch the traffic com into the inbound client pix, the staic nat is pointing to an interface on the 2800. I can see the traffic come into the 2800. However, on the way out it takes the route for local traffic through the other pix. There is a route-map on the 6509 stating that the next hop should be the originating pix. I can see all this with a icmp trace and deb ip icmp.

Any ideas on how to force this back to the originating pix?

 

[zymurgy01]

Ok I noticed that is not verrrrry descriptive.

One Pix is for client traffic. This pix is connected to the 6509 . The other pix is for our internal traffic to the real world. The Pix for the clients has a static nat that is pointing to the interface of a 2800 router (which is also connected to the 6509).

The traffic flows into the pix for the clients gets nat'd and handed off to the interface of the 2800. The 2800 gets the traffic and it seems to instantly be diverted out to the pix for internal traffic. The gateway of last resort is that pix. However their is a route-map on the 6509 point it back to the pix of origin.

I can see the traffic which is how I know it goes out the internal traffic pix.

Which makes me think I should have a loop due to the route map existing on the 6509...

scratching my head here.

 

[dearingkr]

Sounds like the 2800's default gateway is the outbound pix.
You'll probably have to put the route-map on the 2800.

MCSE CCNA CCDA

 

[zymurgy01]

I was starting down that path when I wrote this, and when I tested it after I posted the first time. I got no result. Which makes me think I am a complete moron cuz I never turned off the original route-map on the 6509. So I think I ping ponged that packet around a bit. Will re-do that in the morning. Which is why I put what I did in the second post. Though I did not articulate that part very well.

 

[zymurgy01]

Well that was totally not the issue.

Here is what I have tried.

Static nat on client pix points to 10.10.1.12

10.10.1.12 is a now a loopback on the 2801.

The loopback can be reached from the pix.

The route-map is on the 2801 to set the next hop as that of the pix iface. The match is matching on access-list 1 permit 10.10.1.12. Ip policy is enabled and ip policy route-map is set on the fa 0/1 which is the iface the traffic is flowing into. I get matches on the acl but nothing on the policy map.

I are stumped! I must be missing something but I can't think of what I am missing.

 

[brianinms]

I am confused why you have the router in the mix if you have a 6k.

 

[zymurgy01]

Because the router is a client t1 connection to our hosted devices behind the 6k. The clients need inet acces so we push them out the client pix (soon to be asa). The client pix also is set up with site to site tunnel for external client access. I can create a static route out to the client peer address for the tunnel to bring the tunnel up that works just fine. The issue is Inet traffic does not route back out correctly.

Trust me I have seen weirder setups.