09-08-2003 12:03 PM - edited 03-09-2019 04:41 AM
We currently have a Pix520 , v5.3(1). It is setup with 3 interfaces (internal, external and the dmz) with NAT.
We have another router that connects to the internet(not currently plugged to the PIX) that we are planning to use in case our ISP is down (then we will just plug the rj45 from the PIX to this router).
I need to know how to setup the external router to work with the Pix, I tryed using the same fast ethernet's Ip address of the current "outside router"(default gateway from the PIX) with no luck.
Any comments are valuated.
Thanks
Mario.
09-08-2003 12:12 PM
Hola Mario,
Can you post your PIX configuration (remember to omit sensitive info) and the config of the router...
Thanks --
09-08-2003 01:30 PM
I just double checked under my Pix configuration and the default gateway's ip address is the same as the Ip address outside(interface eth0).
This looks wrong, Is this suppose to be the ethernet's ip address of the next hop router?. How come this is working with the Internet router?.
Mario
09-08-2003 02:25 PM
If you have two devices that are attached to one segment (could be via a cross-over cable), they both keep an ARP-table, in which every local connected Ethernet-adress (MAC-address) is mapped to a IP-address.
Let´s look at an example to understand. We call our devices "PIX" and "Router". In the example these devices are connected via a crossover cable. At some point we change device "Router" with a new device called "New Router"
The following addresses are involved:
Device "PIX"
IP-address 192.168.1.2
MAC-address 0800.1234.0001
Device "Router"
IP-address 192.168.1.1
MAC-address 0800.1234.0002
Device "New Router"
IP-address 192.168.1.1
(note: same as device "Router")
MAC-address 0800.1234.0003
Here is what happens:
When device "PIX" and "Router are connected they have learned eachothers MAC-adresses. Device "PIX" has MAC-address 0800.1234.0002 (of device "Router") mapped to the IP-adress 192.168.1.1 in its ARP-table.
Device "Router" has MAC-address 0800.1234.0001 (of device "PIX") mapped to the IP-adress 192.168.1.1
Then you exchange device "Router" with device "New Router". Device "PIX", at this point, still has the MAC-address 0800.1234.0002 (of device "Router") mapped to the IP-adress 192.168.1.1 in its ARP-table.
So, if a packet arrives at device "PIX" with IP-destination 192.168.1.1 device "PIX" will send this out on the ethernet interface using destination MAC-address 0800.1234.0002
This MAC-address does not exist anymore and the packets dies out on the ethernet.
The lesson here is that if you exchange any device, and it uses the same IP-address, you have to manually clear the ARP entry from the ARP-table of the other device (in most cases). How this is done is depending on the components OS. for IOS based devices this would be clear arp
Hope this helps.
Leo
09-19-2003 07:19 AM
FYI, if the "route" command statement uses the IP address from one of the PIX firewall interfaces as the gateway IP address (as you have), the PIX will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
So if your new router doesn't work with this configuration after clearing the ARP cache then that router may have proxy-arp disabled.
09-19-2003 07:29 AM
FYI, if the "route" command statement uses the IP address from one of the PIX firewall interfaces as the gateway IP address (as you have), the PIX will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
So if your new router doesn't work with this configuration after clearing the ARP cache then that router may have proxy-arp disabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide