Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Cisco PIX routing issue

Cisco PIX routing issue 7 years 2 weeks ago #32765

  • jimmyshin
  • jimmyshin's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hi everyone, was pointed towards this forum by an ex-colleague so here goes.

We have a setup as follows

Core Server Farm -- PIX -- Switched Wan -- ISA -- Internal Clients
-- ISA -- Internal Clients
--ISA -- Internal Clients
x 150

The external IP addresses of the ISA servers all follow the format 10.10.x.200 and the internal clients are all 10.110.x.0/24

Now from our core network, we can ping the 10.10.x.200 addresses, but not the 10.110.x.y addresses. There is a route relationship on the ISA allowing this traffic through from our core network.

On the PIX, we can see traffic going to the 10.10.x.200 addresses (in terms of hitcounts on the ACL) but we see nothing going to 10.110.x.y

the relevant parts of the cisco config are

object-group All-Internal
network-object 10.10.0.0 255.255.0.0
network-object 10.110.0.0 255.255.0.0
object-group Core-AV-Server
network-object host 172.31.32.119

access-list Core-Int extended permit ip object-group Core-AV-Server object-group All-Internal


which breaks down during a 'sh run; to

access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.10.0.0 255.255.0.0 (hitcnt=5)
access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.110.0.0 255.255.0.0 (hitcnt=0)


We also have routes set for

S 10.10.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN
S 10.110.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN


where 10.240.240.10 is the next hop to get to the remote WAN's.

The PIX interface on our Core network is 172.31.32.210 which is the default gateway on the AV server (and shows as the next hop doing a tracert).

I cannot for the life of me understand why I am not seeing the traffic for the internal networks hitting the PIX - any ideas?

Thanks in advance
Jim
The administrator has disabled public write access.

Re: Cisco PIX routing issue 7 years 2 weeks ago #32772

  • Elohim
  • Elohim's Avatar
  • Offline
  • Senior Member
  • Posts: 220
  • Karma: 0
The part that is broken is the irrelevant part of the config that was not posted.



Hi everyone, was pointed towards this forum by an ex-colleague so here goes.

We have a setup as follows

Core Server Farm -- PIX -- Switched Wan -- ISA -- Internal Clients
-- ISA -- Internal Clients
--ISA -- Internal Clients
x 150

The external IP addresses of the ISA servers all follow the format 10.10.x.200 and the internal clients are all 10.110.x.0/24

Now from our core network, we can ping the 10.10.x.200 addresses, but not the 10.110.x.y addresses. There is a route relationship on the ISA allowing this traffic through from our core network.

On the PIX, we can see traffic going to the 10.10.x.200 addresses (in terms of hitcounts on the ACL) but we see nothing going to 10.110.x.y

the relevant parts of the cisco config are

object-group All-Internal
network-object 10.10.0.0 255.255.0.0
network-object 10.110.0.0 255.255.0.0
object-group Core-AV-Server
network-object host 172.31.32.119

access-list Core-Int extended permit ip object-group Core-AV-Server object-group All-Internal


which breaks down during a 'sh run; to

access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.10.0.0 255.255.0.0 (hitcnt=5)
access-list Core-Int line 1 extended permit ip host 172.31.32.119 10.110.0.0 255.255.0.0 (hitcnt=0)


We also have routes set for

S 10.10.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN
S 10.110.0.0 255.255.0.0 [1/0] via 10.240.240.10, WAN


where 10.240.240.10 is the next hop to get to the remote WAN's.

The PIX interface on our Core network is 172.31.32.210 which is the default gateway on the AV server (and shows as the next hop doing a tracert).

I cannot for the life of me understand why I am not seeing the traffic for the internal networks hitting the PIX - any ideas?

Thanks in advance
Jim
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup