cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
10
Helpful
5
Replies

Internet Router redundancy

mariocabrejo
Level 1
Level 1

We currently have a Pix520 , v5.3(1). It is setup with 3 interfaces (internal, external and the dmz) with NAT.

We have another router that connects to the internet(not currently plugged to the PIX) that we are planning to use in case our ISP is down (then we will just plug the rj45 from the PIX to this router).

I need to know how to setup the external router to work with the Pix, I tryed using the same fast ethernet's Ip address of the current "outside router"(default gateway from the PIX) with no luck.

Any comments are valuated.

Thanks

Mario.

5 Replies 5

jmia
Level 7
Level 7

Hola Mario,

Can you post your PIX configuration (remember to omit sensitive info) and the config of the router...

Thanks --

mariocabrejo
Level 1
Level 1

I just double checked under my Pix configuration and the default gateway's ip address is the same as the Ip address outside(interface eth0).

This looks wrong, Is this suppose to be the ethernet's ip address of the next hop router?. How come this is working with the Internet router?.

Mario

If you have two devices that are attached to one segment (could be via a cross-over cable), they both keep an ARP-table, in which every local connected Ethernet-adress (MAC-address) is mapped to a IP-address.

Let´s look at an example to understand. We call our devices "PIX" and "Router". In the example these devices are connected via a crossover cable. At some point we change device "Router" with a new device called "New Router"

The following addresses are involved:

Device "PIX"

IP-address 192.168.1.2

MAC-address 0800.1234.0001

Device "Router"

IP-address 192.168.1.1

MAC-address 0800.1234.0002

Device "New Router"

IP-address 192.168.1.1

(note: same as device "Router")

MAC-address 0800.1234.0003

Here is what happens:

When device "PIX" and "Router are connected they have learned eachothers MAC-adresses. Device "PIX" has MAC-address 0800.1234.0002 (of device "Router") mapped to the IP-adress 192.168.1.1 in its ARP-table.

Device "Router" has MAC-address 0800.1234.0001 (of device "PIX") mapped to the IP-adress 192.168.1.1

Then you exchange device "Router" with device "New Router". Device "PIX", at this point, still has the MAC-address 0800.1234.0002 (of device "Router") mapped to the IP-adress 192.168.1.1 in its ARP-table.

So, if a packet arrives at device "PIX" with IP-destination 192.168.1.1 device "PIX" will send this out on the ethernet interface using destination MAC-address 0800.1234.0002

This MAC-address does not exist anymore and the packets dies out on the ethernet.

The lesson here is that if you exchange any device, and it uses the same IP-address, you have to manually clear the ARP entry from the ARP-table of the other device (in most cases). How this is done is depending on the components OS. for IOS based devices this would be clear arp

Hope this helps.

Leo

FYI, if the "route" command statement uses the IP address from one of the PIX firewall interfaces as the gateway IP address (as you have), the PIX will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

So if your new router doesn't work with this configuration after clearing the ARP cache then that router may have proxy-arp disabled.

FYI, if the "route" command statement uses the IP address from one of the PIX firewall interfaces as the gateway IP address (as you have), the PIX will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

So if your new router doesn't work with this configuration after clearing the ARP cache then that router may have proxy-arp disabled.