PIX static routes to router on inside interface

dspdss · ‎09-20-2004

I have a network currently configured that the PIX is the default gateway for the users on the inside interface. I am trying to send some traffic on a different subnet destined for another network through a Cisco router that is connected to the inside network. After pointing the static route to the router on the inside interface and ensuring that the traffic is not blocked by an ACL, the firewall is not able to contact the router. The PIX syslog message is "PIX-6-110001 - No route to dest addr", and a capture reveals that the packet never arrives at the destination router. Pointing the same route to the outside interface shows no syslog message and the packet arriving at the destination router. IP verify reverse-path is not enabled. Is there an IP redirect or some other command that I am missing to allow a packet that arrives on the inside interface to be forwarded back out that interface onto another router?

Thanks

Dave

gfullage · ‎09-20-2004

The PIX won't forward a packet out the same interface it came in on, nor will it issue ICMP redirects, which is why this is failing, no way around it.

Your best bet is to make the inside router your default gateway, and put a default static route on it pointing to the PIX inside address. When inside users access the subnet behind the router it will work fine. If they go to the Internet, their packets will go to the router, which because of its default static route will forward it back to the PIX. The router will also then send an ICMP redirect to the host telling it to send all packets for that network to the PIX from then on.

dspdss · ‎11-12-2004

Thanks for the explanation, and I understand the security implications behind the design. We modified our network to make another router the default gateway.