07-28-2006 02:19 AM - edited 03-09-2019 03:44 PM
Hi,
I have a pix with the following outside interface:
ip address outside 192.168.0.179 255.255.255.0
In the pix i found a default gw like:
route outside 0.0.0.0 0.0.0.0 0.0.0.1 1
I do not understand what the default gw 0.0.0.1 means? Shouldn't this be a ip in a directly connected subnet on the outside interface? like 192.168.0.1?
Hope that someone could help with this strange default gw (next hop).
regards,
Jeroen
07-28-2006 04:52 AM
Jeroen,
You're correct, the default route should have as a next hop address an address in the same subnet as the outside ip.
The route you have is sending traffic to 0.0.0.1 address.
You should verify your gateway ip and change the default route to point to it.
07-28-2006 05:06 AM
The thing is, it's working with 0.0.0.1 but i can't explain? Most logical is to add the next hope here, but why is it working with 0.0.0.1?
Regards,
Jeroen Vermeulen
07-28-2006 05:18 AM
Hi,
Just a left-field question; do you have OSPF running on that firewall?
Thanks,
Glen
07-28-2006 05:23 AM
Hello Jeroen,
this looks like a dummy IP address, I have seen 0.0.0.1 before on BSD firewalls, where it is being used as a placeholder. I can only imagine that the PIX considers this an IP address configured on an interface, and then applies the following rule:
If the route command uses the IP address from one of the interfaces on the security appliance as the gateway IP address, the security appliance will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
Just a thought, and admittedly somewhat of a speculation...
Regards,
GNT
07-29-2006 06:29 AM
Can u post the running config??
07-31-2006 07:04 AM
Hereby the runnign config:
PIX Version 7.2(1)
!
hostname pixfirewall
domain-name bla.nl
enable password xxx
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.133.197 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.2.3.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2xx.xxxxxxxYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name bla.nl
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any any inactive
pager lines 24
logging enable
logging buffered errors
logging trap debugging
logging asdm informational
logging facility 23
logging queue 0
logging host inside 10.2.3.54
logging debug-trace
mtu outside 1500
mtu inside 1500
failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 0.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username root password 0xxxxxxxxxxxU encrypted privilege 15
http server enable
http 10.2.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 10.2.3.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide