PIX static route not working, im desperate!

hello, im a UNIX system admin and sometimes i have to put my hands on cisco stuff. Usually i can do it reading docs online, but this time im really desperate. I hope someone here can help me to solve my problem... :-)

Im unsing a pix 515E with firmware 8.0.2

SERVER FARM X.X.X.X | | ADSL | | 192.168.69.30 OFFICE LAN (addresses 192.168.69.0/24) | | | PIX 515E (internal address 192.168.69.253, extern Y.Y.Y.Y) | | INTERNET

So we have an ADSL link that connects our office LAN to a server farm, (our LAN has addresses of this kind: 192.168.69.X), we are connected to Internet using a second ADSL link. What we need is to reach the servers in the server farm using the pix vpn. I put a static route in the pix configuration but its not working when i connect to the pix using the vpn. And when im am in the LAN, i have to manually insert in my pc the static route that sends all traffic to X.X.X.X via 192.168.69.30. I dont understand what is wrong, could you please help me?

PIX Version 8.0(2) ! hostname PIXNSC domain-name xxxxxxxxx enable password RKODEhJ1uwKzCJ1e encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address Y.Y.Y.Y 255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.69.253 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! passwd ************** encrypted ftp mode passive dns server-group DefaultDNS domain-name nscsrl.it access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq www access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq pop3 access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5222 access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 5223 access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq https access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq smtp access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 995 access-list outside_access_in extended permit tcp any host Y.Y.Y.140 eq 465 access-list outside_access_in extended permit tcp host 85.18.117.122 host Y.Y.Y.139 eq ssh access-list outside_access_in extended permit tcp host 85.18.117.122 host Y.Y.Y.139 eq 3306 access-list outside_access_in extended permit tcp host 85.18.117.122 host Y.Y.Y.139 eq 7129 access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq www access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 8554 access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6968 access-list outside_access_in extended permit tcp any host Y.Y.Y.142 eq 6969 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host

192.168.69.145 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host 192.168.69.146 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host 192.168.69.147 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host 192.168.69.148 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host 192.168.69.149 access-list nonat extended permit ip 192.168.69.0 255.255.255.0 host 192.168.69.150 pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool vpnpool1 192.168.69.145-192.168.69.150 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) Y.Y.Y.140 192.168.69.41 netmask 255.255.255.255 static (inside,outside) Y.Y.Y.142 192.168.69.220 netmask 255.255.255.255 static (inside,outside) Y.Y.Y.139 192.168.69.42 netmask 255.255.255.255 static (inside,outside) Y.Y.Y.141 192.168.69.47 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 X.X.X.137 1
Reply to
Davide Corrado
Loading thread data ...

Reply to
Chris

Notice that the original poster said PIX 8.0.2.

Since 7.2, same-security-traffic permit-intra-interface "permits traffic to enter and leave the same interface, and not just IPSec traffic".

Reply to
Walter Roberson

I knew that starting from 7.0 this kind of traffic was supported (i didnt know how to activate it anyway :-)).

well, i inserted same-security-traffic permit intra-interface in the configuration. right now im connected to the office lan and i deleted the static route that conduits to the server farm from my pc to see if now the pix static rule is working in the lan... and its not working... what else can i do?

Reply to
Davide Corrado

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.