Pix 515e

Technology1

have a new service provider and need to change the pix's outside route IP address to 207.247.114.43

When I use: route outside 0.0.0.0 0.0.0.0 237.xxx.xxx.xxx 1
cannot add route entry. possible conflict with existing routes


Here is my config
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ICMP_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

docrice

Do a show run route and let's see what the routing table looks like.

ConstantlyLearning

no route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.xxx 1

route outside 0.0.0.0 0.0.0.0 237.xxx.xxx.xxx 1

docrice

This may seem like a rather obvious question, but does your outside interface have an address that's within the net space / subnet of the forwarding gateway (207.247.114.43)? I didn't see any mask information so I figure we should check that.

Technology1

outside 0.0.0.0 0.0.0.0 70.19.119.1 1 OTHER static
inside 172.16.223.0 255.255.255.0 172.16.223.1 1 CONNECT static
outside 207.217.114.40 255.255.255.248 207.217.114.42 1 CONNECT static

docrice wrote: »

This may seem like a rather obvious question, but does your outside interface have an address that's within the net space / subnet of the forwarding gateway (207.247.114.43)? I didn't see any mask information so I figure we should check that.

Technology1

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd **************** encrypted
hostname hour1pix
domain-name main-fm.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1721-1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_cryptomap_itb permit ip 172.16.23.0 255.255.255.0 192.168.25
3.0 255.255.255.0
access-list outside_cryptomap_itb permit ip 172.16.23.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list outside_cryptomap_itb permit ip host 207.217.114.42 host 192.168.32.99

docrice wrote: »

This may seem like a rather obvious question, but does your outside interface have an address that's within the net space / subnet of the forwarding gateway (207.247.114.43)? I didn't see any mask information so I figure we should check that.

Technology1

the error is this:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ICMP_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.19.119.1 1

docrice wrote: »

This may seem like a rather obvious question, but does your outside interface have an address that's within the net space / subnet of the forwarding gateway (207.247.114.43)? I didn't see any mask information so I figure we should check that.

docrice

You're referring to a route for 207.217.114.40/29 but your ISP's gateway is at 207.247.114.43? Is this a typo?

Technology1

207.217.114.40 is the static ip address

docrice wrote: »

You're referring to a route for 207.217.114.40/29 but your ISP's gateway is at 207.247.114.43? Is this a typo?

docrice

If your PIX's outside interface is 207.217.114.40, and your next hop at the ISP is supposed to be 207.247.114.43, this can't route since they're not part of the same subnet given a /29 net. The second octet values makes these two completely out of range of each other.

Or am I missing something here? Do you have another router in front of the PIX that you control which ultimately connects to the ISP?

mgeorge

First off do yourself a favor and update that pix to 8.0(4)

You'll need 128MB ram but its going to be worth the upgrade. 6.x has been dead for nearly a decade.

docrice

Technology1 wrote: »

207.217.114.40 is the static ip address

I've been in a rush today so I've been skimming at the responses and my eyes haven't been catching everything. Are you sure this is the address assigned to your outside interface?

outside 0.0.0.0 0.0.0.0 70.19.119.1 1 OTHER static
inside 172.16.223.0 255.255.255.0 172.16.223.1 1 CONNECT static
outside 207.217.114.40 255.255.255.248 207.217.114.42 1 CONNECT static

This looks like a static route config, which means 207.217.114.40 would be the network subnet identifier. An interface config output should look like:

interface Ethernet0
description blahblah
speed 100
duplex full
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0 standby 1.2.3.254

Your PIX code might be old enough where the config output might look somewhat different as I haven't worked on the 6.x versions in ages, but I don't think it should be that different. I agree with mgeorge - you really should update to 8.0(4), even though that in itself is a few years old now. Be careful though - there are some syntax changes after you upgrade from 6.x.

In any case, shouldn't your route command be: route outside 0.0.0.0 0.0.0.0 207.217.114.43 1, assuming the ISP is the next hop from the PIX? Or did you originally do route outside 0.0.0.0 0.0.0.0 237.xxx.xxx.xxx 1 because the next hop upstream actually has a starting octet of 237? As mentioned before, I might be making wrong assumptions about your topology. It just sounded like your ISP is the next hop from your PIX.

Technology1

I just need to remove the global outside 0.0.0.0 0.0.0.0 70.19.119.1 1
and change it to outside 0.0.0.0 0.0.0.0 207.217.114.40

docrice wrote: »

If your PIX's outside interface is 207.217.114.40, and your next hop at the ISP is supposed to be 207.247.114.43, this can't route since they're not part of the same subnet given a /29 net. The second octet values makes these two completely out of range of each other.

Or am I missing something here? Do you have another router in front of the PIX that you control which ultimately connects to the ISP?

docrice

I thought you had done that already. Oh well, glad you're up and running...

Technology1

the isp is 207.247.114.42

docrice wrote: »

You're referring to a route for 207.217.114.40/29 but your ISP's gateway is at 207.247.114.43? Is this a typo?

Technology1

Thanks for all the responses.

docrice wrote: »

I've been in a rush today so I've been skimming at the responses and my eyes haven't been catching everything. Are you sure this is the address assigned to your outside interface?

This looks like a static route config, which means 207.217.114.40 would be the network subnet identifier. An interface config output should look like:

Your PIX code might be old enough where the config output might look somewhat different as I haven't worked on the 6.x versions in ages, but I don't think it should be that different. I agree with mgeorge - you really should update to 8.0(4), even though that in itself is a few years old now. Be careful though - there are some syntax changes after you upgrade from 6.x.

In any case, shouldn't your route command be: route outside 0.0.0.0 0.0.0.0 207.217.114.43 1, assuming the ISP is the next hop from the PIX? Or did you originally do route outside 0.0.0.0 0.0.0.0 237.xxx.xxx.xxx 1 because the next hop upstream actually has a starting octet of 237? As mentioned before, I might be making wrong assumptions about your topology. It just sounded like your ISP is the next hop from your PIX.

docrice

I tried, but in the end was a big FAIL. I shall now march towards the Halls of Shame...