[c-nsp] PIX route problems

Marr, Joe jmarr at brodart.com
Sun Jan 2 10:20:46 EST 2005


interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet2 vlan55 logical

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan55 vpn security25

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.101.0.0 255.255.255.0 0 0
nat (vpn) 0 access-list 103
nat (vpn) 1 10.50.1.28 255.255.255.252 0 0

The DMZ is 10.net, with static static nat going to the outside and no
natting going inside.

Something I read on CCO says that I need to have a separate VLAN for the
DMZ interface, currently its running native (VLAN1 in the switch).

Let me know if you need anything else.

Joe Marr
-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] 
Sent: Sunday, January 02, 2005 5:45 AM
To: Marr, Joe; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] PIX route problems

I assume the dmz is public, not 10.x numbers?

In that case are you natting from the 10.101 network on the vpn to 
the outside?

something like 

nat (native) 0 access-list 100 

in there as well as the nat statement for the (inside) interface?

Seriously, trying to help without a posted config is like feeling
around in a dark room looking for a pair of glasses.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Marr, Joe
> Sent: Saturday, January 01, 2005 9:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX route problems
> 
> 
> I'm trying to configure the following
> 
>  
> 
> I have a Pix525 with 3 physical interfaces. The DMZ interface is
> configured for VLANS. Only 2 vlans are used, native (matching up to
> VLAN1 on my switch) is used for my DMZ servers and VLAN 55 is used to
> connect to a VPN 3005. A /30 is used to number VLAN 55 on the PIX to
the
> private interface on the VPN 3005. A /24 is statically routed from the
> PIX, pointing to the IP address on private interface for use by
various
> VPN clients.
> 
>  
> 
> My problem is that when I try to access anything from the VPN client
/24
> going to the DMZ interface, I get this error in the firewall log:
> 
>  
> 
> %PIX-6-110001: No route to 10.101.0.5 from 10.1.2.2
> 
>  
> 
> I can access everything from the VPN on the internal interface, I
can't
> figure out what's misconfigured.
> 
>  
> 
> The security setting for the interfaces are configured as follows:
> 
>  
> 
> dmz = 50
> 
> vpn = 25
> 
>  
> 
> Any help will be greatly appreciated.
> 
> Joe Marr
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list