[c-nsp] PIX route problems

[Ted Mittelstaedt]

I assume the dmz is public, not 10.x numbers?

In that case are you natting from the 10.101 network on the vpn to 
the outside?

something like 

nat (native) 0 access-list 100 

in there as well as the nat statement for the (inside) interface?

Seriously, trying to help without a posted config is like feeling
around in a dark room looking for a pair of glasses.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Marr, Joe
> Sent: Saturday, January 01, 2005 9:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX route problems
> 
> 
> I'm trying to configure the following
> 
>  
> 
> I have a Pix525 with 3 physical interfaces. The DMZ interface is
> configured for VLANS. Only 2 vlans are used, native (matching up to
> VLAN1 on my switch) is used for my DMZ servers and VLAN 55 is used to
> connect to a VPN 3005. A /30 is used to number VLAN 55 on the PIX to the
> private interface on the VPN 3005. A /24 is statically routed from the
> PIX, pointing to the IP address on private interface for use by various
> VPN clients.
> 
>  
> 
> My problem is that when I try to access anything from the VPN client /24
> going to the DMZ interface, I get this error in the firewall log:
> 
>  
> 
> %PIX-6-110001: No route to 10.101.0.5 from 10.1.2.2
> 
>  
> 
> I can access everything from the VPN on the internal interface, I can't
> figure out what's misconfigured.
> 
>  
> 
> The security setting for the interfaces are configured as follows:
> 
>  
> 
> dmz = 50
> 
> vpn = 25
> 
>  
> 
> Any help will be greatly appreciated.
> 
> Joe Marr
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>