cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
11
Replies

Can you add a static route for the inside interface of a PIX to point to a router on the same inside network?

admin_2
Level 3
Level 3

When I add a static route on a PIX for the inside i/f, to redirect traffic to a router on the inside network, the traffic doesnt route to the router. e.g. a PC has DG=192.168.1.254 which is the inside i/f of the PIX. Its trying to reach 192.168.2.0 network. The PIX has command "route inside 192.168.2.0 255.255.255.0 192.168.1.250" where 250 is the router. If I ping from the host, it doesnt reach the 192.168.2.0 network.

Therefore can the PIX redirect traffic from the same interface to another router??

11 Replies 11

Not applicable

This is normal, the pix will not route. If there is a router on the inside of the pix, you need to set the client default g/w to the router and have the router default route point to the pix.

rsnider
Level 1
Level 1

Using the inside router as the client gateway will work, but with this caveate. Every packet destined for the PIX will cause two packets of traffic on your network. On a lightly loaded network there should be no problem, just watch your router's cpu load and your network for excessive collisions. On a busy network this could kill the response time.

Ron

Curious, why would two packets get created?

i'm baffled too

i'm baffled too

I think what he was trying to say was:

Option #1.

If the DG for the PC's is the Router and traffic is going to the Internet, then:

1. Packets are sent to the router

2. Then, packets are then sent to the PIX

This has resulted on "double" the packets.

Option #2.

If the DG for the PC's is the PIX and traffic is going to the Internet, then:

1. Packets are then sent to the PIX

This has resulted in a single sent packets.

You can look at it from this scenario too:

Option #3.

If the DG for the PC's is the PIX and traffic is going to the "WAN/Router," then:

1. Packets are sent to the PIX

2. Then, packets are then sent to the router

This has resulted in "double" the packets again.

Your best call would be to determine the traffic patterns on the network and see where most of the traffic is going.

If most of the traffic goes to the Internet, set the DG to the PIX.

If most of the traffic goes to the WAN, set the DG to the router.

Hope this helps.

C-ya

Mike

I think what he was trying to say was:

Option #1.

If the DG for the PC's is the Router and traffic is going to the Internet, then:

1. Packets are sent to the router

2. Then, packets are then sent to the PIX

This has resulted on "double" the packets.

Option #2.

If the DG for the PC's is the PIX and traffic is going to the Internet, then:

1. Packets are then sent to the PIX

This has resulted in a single sent packets.

You can look at it from this scenario too:

Option #3.

If the DG for the PC's is the PIX and traffic is going to the "WAN/Router," then:

1. Packets are sent to the PIX

2. Then, packets are then sent to the router

This has resulted in "double" the packets again.

Your best call would be to determine the traffic patterns on the network and see where most of the traffic is going.

If most of the traffic goes to the Internet, set the DG to the PIX.

If most of the traffic goes to the WAN, set the DG to the router.

Hope this helps.

C-ya

Mike

Hi again,

Sorry but I think that there is some confusion here regarding the number of packets send on the LAN as a result of this config.

Firstly: The PC must have the router as its default gateway because the PIX will not send an ICMP redirects.

Secondly: Once the ICMP redirect is send from the router to the PC (this happens as a result of the first packet) from this point on there are no "double" packets sent.

If you are unsure of this please check the PC's route table after you ping something on the internet. You will find a static route has been installed for this traffic.

The only resource issue that there may be is with the PC's route table. As you can imagine for each different internet destination there will be a new route in the PC's route table.

Hope this helps !!

Regards Brett

Hi again,

Sorry but I think that there is some confusion here regarding the number of packets send on the LAN as a result of this config.

Firstly: The PC must have the router as its default gateway because the PIX will not send an ICMP redirects.

Secondly: Once the ICMP redirect is send from the router to the PC (this happens as a result of the first packet) from this point on there are no "double" packets sent.

If you are unsure of this please check the PC's route table after you ping something on the internet. You will find a static route has been installed for this traffic.

The only resource issue that there may be is with the PC's route table. As you can imagine for each different internet destination there will be a new route in the PC's route table.

Hope this helps !!

Regards Brett

rsnider
Level 1
Level 1

If you use the router as the default gateway, a packet going to the Internet, will be sent to the router and the router would re-send the packet to the PIX. The PIX can't send packets back out the same interface it recieved them on. This is a router function.

Ron

bhose
Level 1
Level 1

Hi,

The PIX doesnot support ICMP redirects. The PC's will need to have the router as the default gateway. Routers support ICMP redirects.

When the PC needs to send a packet to the internet it will send it to the router, the router will send a redirect to the PC, the PC will install a route into its route table for the PIX and then the PC will send the packet to the PIX.

One point of note. If the router is down, in some situation the PCs will not be able to send traffic to the internet !

Another option would be to install static routes into the PC's for 192.168.0.0 via the router and then a default to the PIX.

Regards Brett

Review Cisco Networking for a $25 gift card