Hi all,
I've got a PIX 506e which has the following config:
PIX Version 6.3(5) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname chqpix domain-name example.com names name 192.168.4.0 mitelnet name 10.20.6.0 globixnet name 10.0.2.0 chqnet object-group service web tcp description HTTP and HTTPS port-object eq www port-object eq https access-list inside_outbound_nat0_acl permit ip chqnet 255.255.255.0 globixnet
255.255.255.0 access-list inside_outbound_nat0_acl permit ip mitelnet 255.255.255.0 globixnet 255.255.255.0 access-list outside_cryptomap_20 permit ip chqnet 255.255.255.0 globixnet 255.255.255.0 access-list outside_cryptomap_20 permit ip mitelnet 255.255.255.0 globixnet 255.255.255.0 access-list outside_access_in permit tcp any host 1.1.25.227 object-group web access-list outside_access_in permit icmp any any mtu outside 1500 mtu inside 1500 ip address outside 1.1.202.218 255.255.255.252 ip address inside 10.0.2.2 255.255.255.0 ip verify reverse-path interface outside global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 1.1.25.227 10.0.2.11 netmask 255.255.255.255 0 0 static (inside,outside) 1.1.25.226 10.0.2.50 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1.1.202.217 1 route inside mitelnet 255.255.255.0 10.0.2.1 1 sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer 1.1.152.18 crypto map outside_map 20 set transform-set ESP-AES-128-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.1.152.18 netmask 255.255.255.255 no-xauth isakmp keepalive 60 10 isakmp nat-traversal 15 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp policy 60 authentication pre-share isakmp policy 60 encryption 3des isakmp policy 60 hash sha isakmp policy 60 group 5 isakmp policy 60 lifetime 86400chqpix# show route outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT static
There's clearly a static route for 192.168.4.0 255.255.255.0 to 10.0.2.1.
The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to 192.168.4.0 I get a no route to host error on the PIX:
110001: No route to 192.168.4.2 from 10.0.2.23But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to 192.168.4.0.
Does anyone see why this could be happening?
thanks Karnov