 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
5 messages in net.nether.puck.cisco-nsp[c-nsp] PIX route problems| From | Sent On | Attachments |
|---|---|---|
| Marr, Joe | Jan 2, 2005 12:05 am | |
| Ted Mittelstaedt | Jan 2, 2005 5:44 am | |
| Marr, Joe | Jan 2, 2005 10:20 am | |
| Ted Mittelstaedt | Jan 2, 2005 5:22 pm | |
| Lora Ganeva | Jan 3, 2005 6:24 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [c-nsp] PIX route problems | Actions... |
|---|---|---|
| From: | Marr, Joe (jma...@brodart.com) | |
| Date: | Jan 2, 2005 10:20:33 am | |
| List: | net.nether.puck.cisco-nsp | |
interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet2 vlan55 logical
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif vlan55 vpn security25
global (outside) 1 interface global (dmz) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 10.101.0.0 255.255.255.0 0 0 nat (vpn) 0 access-list 103 nat (vpn) 1 10.50.1.28 255.255.255.252 0 0
The DMZ is 10.net, with static static nat going to the outside and no natting going inside.
Something I read on CCO says that I need to have a separate VLAN for the DMZ interface, currently its running native (VLAN1 in the switch).
Let me know if you need anything else.
Joe Marr
-----Original Message----- From: Ted Mittelstaedt [mailto:te...@toybox.placo.com] Sent: Sunday, January 02, 2005 5:45 AM To: Marr, Joe; cisc...@puck.nether.net Subject: RE: [c-nsp] PIX route problems
I assume the dmz is public, not 10.x numbers?
In that case are you natting from the 10.101 network on the vpn to the outside?
something like
nat (native) 0 access-list 100
in there as well as the nat statement for the (inside) interface?
Seriously, trying to help without a posted config is like feeling around in a dark room looking for a pair of glasses.
Ted
-----Original Message----- From: cisc...@puck.nether.net [mailto:cisc...@puck.nether.net]On Behalf Of Marr, Joe Sent: Saturday, January 01, 2005 9:06 PM To: cisc...@puck.nether.net Subject: [c-nsp] PIX route problems
I'm trying to configure the following
I have a Pix525 with 3 physical interfaces. The DMZ interface is configured for VLANS. Only 2 vlans are used, native (matching up to VLAN1 on my switch) is used for my DMZ servers and VLAN 55 is used to connect to a VPN 3005. A /30 is used to number VLAN 55 on the PIX to the private interface on the VPN 3005. A /24 is statically routed from the PIX, pointing to the IP address on private interface for use by various VPN clients.
My problem is that when I try to access anything from the VPN client /24 going to the DMZ interface, I get this error in the firewall log:
%PIX-6-110001: No route to 10.101.0.5 from 10.1.2.2
I can access everything from the VPN on the internal interface, I can't figure out what's misconfigured.
The security setting for the interfaces are configured as follows:
dmz = 50
vpn = 25
Any help will be greatly appreciated.
Joe Marr
_______________________________________________ cisco-nsp mailing list cisc...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/