Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Routing (or lack thereof)

Status
Not open for further replies.
solarified

solarified

Technical User
Jun 26, 2002
15
0
0
US
For some odd reason, my PIX refused to route traffic to internal subnets. For example, my local network is 10.10.10.x and a user needs to access an internal website at 10.20.20.x (over the WAN). Below are snips from my PIX config.

access-list 90 permit ip 10.10.10.0 255.255.255.0 10.0.0.0 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
route inside 10.0.0.0 255.0.0.0 10.10.10.254 1

10.10.10.254 is my router to corporate. I know I must be missing something silly. I CAN ping the remote host directly from the PIX. When I attempt to ping the host from my PC, this is all I show in the logs:

Mar 15 09:24:17 10.10.10.235 Mar 15 2004 09:20:31: %PIX-3-106011: Deny inbound (No xlate) icmp src inside:10.10.10.15 dst inside:10.20.20.235 (type 8, code 0)

Cisco's site gives little help on the error:

%PIX-3-106011: Deny inbound (No xlate) chars

Explanation The message will appear under normal traffic conditions if there are internal users that are accessing the Internet via a web browser. Anytime a connection is reset, when the host at the end of the connection sends a packet after the PIX Firewall receives the reset, this message will appear. It can typically be ignored.

Action Disable this syslog message from getting logged to the syslog server by entering the no logging message 106011 command.

Any ideas?
 
Sort by date Sort by votes
Are you using the pix as your default gateway? If so that is your problem. Your pix is not a router. It can not do a redirect.

Use the router at 10.10.10.254 as your default gateway. Or alternately manually set the routes on your workstation. ICMP redirects have their pros and cons, see:
 
Upvote 0 Downvote
Are you serious?! A cisco device that can't handle some simple routing?! <grumble grumble grumble> Time to buy Nokia/CP...

What the heck is the ROUTE command even in the pix for then?!
 
Upvote 0 Downvote
As an FYI for all, I found this example that explains things pretty well..
-------------
if you have a PIX with two interfaces (inside and outside) and on the inside interface there is a 10.1.1.0/24 network. Off this network there is a router with the 10.1.2.0/24 network connected to it. Then suppose there is a server on the inside interface which is 10.1.1.5. This host has a default gateway of the inside interface of the PIX (10.1.1.1). In this scenario, assume that the PIX has the correct routing information, such as route inside 10.1.2.0 255.255.255.0 10.1.1.254 where 10.1.1.254 is the router's IP address. You might think that the 10.1.1.5 host could send a packet to 10.1.2.20 and this packet would go to the PIX, get redirected to the router at 10.1.1.254, and go on to the destination host, but this is not the case. The PIX does not send ICMP redirects like a router. Also, the PIX does not allow a packet to leave an interface from which it came. So assuming the 10.1.1.5 host sent a packet with a destination address of 10.1.2.20 to the PIX's inside interface, the PIX would drop that packet because it was destined to go out the same interface (inside interface) on which it came. This is true for any PIX interface, not just the inside interface. In this scenario, the solution is for the 10.1.1.5 host to set its default gateway to be the router's interface (10.1.1.254), and then have a default gateway on the router point to the PIX (10.1.1.1).
------------
[thumbsdown]
 
Upvote 0 Downvote
Well, a thought-out design does not rely on the firewall for internal routing, thats what routers or layer3 switches are for. If you loose your firewall you loose all internal routing, not good.
I think you have to look at it this way : The PIX does NOT run IOS, so all the things you know to be true about generic cisco devices to not apply to the pix.

Just my 2 cents
Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
A mantra I've had to learn to stay sane: (chant with me)

The PIX is not a router..
The PIX is not a router..
The PIX is not a router..

:)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
140
Johnkite
Johnkite
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
35
xwray
xwray
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
47
Modem80
Modem80
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53
cambo2k
  • Locked
  • Question
Watchguard or Cisco?
Replies
1
Views
43
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top