09-20-2004 07:50 PM - edited 02-20-2020 11:38 PM
I have a network currently configured that the PIX is the default gateway for the users on the inside interface. I am trying to send some traffic on a different subnet destined for another network through a Cisco router that is connected to the inside network. After pointing the static route to the router on the inside interface and ensuring that the traffic is not blocked by an ACL, the firewall is not able to contact the router. The PIX syslog message is "PIX-6-110001 - No route to dest addr", and a capture reveals that the packet never arrives at the destination router. Pointing the same route to the outside interface shows no syslog message and the packet arriving at the destination router. IP verify reverse-path is not enabled. Is there an IP redirect or some other command that I am missing to allow a packet that arrives on the inside interface to be forwarded back out that interface onto another router?
Thanks
Dave
09-20-2004 08:00 PM
The PIX won't forward a packet out the same interface it came in on, nor will it issue ICMP redirects, which is why this is failing, no way around it.
Your best bet is to make the inside router your default gateway, and put a default static route on it pointing to the PIX inside address. When inside users access the subnet behind the router it will work fine. If they go to the Internet, their packets will go to the router, which because of its default static route will forward it back to the PIX. The router will also then send an ICMP redirect to the host telling it to send all packets for that network to the PIX from then on.
11-12-2004 06:29 AM
Thanks for the explanation, and I understand the security implications behind the design. We modified our network to make another router the default gateway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide