Core issue
In many instances, you need to enable routing on the PIX Firewall to connect to devices on networks that are not directly connected. This is accomplished by manually configuring static routes or by using Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) to dynamically learn routes.
Resolution
- Static routing
To create a static route statement on the PIX Firewall, issue the route command.
For example, this command is issued to create a route for the 192.168.1.0 network:
route inside 192.168.1.0 255.255.255.0 x.x.x.x
Only one default route can be configured on the PIX Firewall, as shown in this example:
route outside 0.0.0.0 0.0.0.0 x.x.x.x
In this example, x.x.x.x.
is the IP address of the next hop.
For more information, refer to the route section of Cisco PIX Firewall Software Command Reference.
- RIP
When the PIX Firewall has RIP enabled, it learns where everything is on the network by passively listening for RIP network traffic. When the PIX Firewall interface receives RIP traffic, the PIX updates its routing tables. However, the PIX Firewall can advertise one default route through RIP. To enable RIP, refer to this example:
rip outside passive version 2
rip outside default version 2
For more information, refer to the rip section of Cisco PIX Firewall Software Command Reference.
- OSPF
OSPF is supported on PIX Firewall version 6.3 and later. It is supported on all 500 series platforms except the PIX 501. The OSPF functionality in PIX Firewall version 6.3 is similar to that provided by Cisco IOS® Software Release 12.2(3a).
When Network Address Translation (NAT) is used and OSPF is operating on public and private areas, run two OSPF processes to prevent the advertising of private networks in public areas. This allows you to use NAT and OSPF without advertising private networks, as shown in this example:
ip address outside 1.1.1.1 255.255.255.0
ip address inside 10.0.0.1 255.0.0.0
router ospf 1
network 1.1.1.0 255.255.255.0 area 0
router ospf 2
redistribute ospf 1
network 10.0.0.0 255.0.0.0 area 10.0.0.0
For more information, refer to the Configuring OSPF on the PIX Firewall section of Establishing Connectivity.