can a firewall do routing?

Unanswered Question
Mar 10th, 2008
User Badges:

Hi all. I have a firewall cisco pix 515e that is used as a default gateway for all my pc in my lan. My firewall is using an ip of 192.168.40.254/24. On my lan there is a 2801 router having an ip of 192.168.40.253/24. This router is used to route packets to another network 192.168.41.0/24 that is connected to it. All my pc in the 192.168.40.0/24 network need to access the 192.168.41.0/24 network. Hence i place a static route in my cisco 515e where traffic heading for 192.168.41.0/24 would use the gateway 192.168.40.253. The gateway for 192.168.41.0/24 network is the 2801 router whose other ip is 192.168.41.254. However after adding the static route to my pix, the PCs in 192.168.40.0/24 could not reach 192.168.41.0/24. I was advised by my vendor that cisco pix 515e using ios 6.3 cannot do static route. Is this so?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 03/10/2008 - 07:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Pix 515E using v6.3 cannot do "hairpinning" and this means your setup won't work. Hairpinning is the ability to route traffic back out the same interface it came in and it is not available until v7.x on the pix. If you want to hairpin unencrypted traffic you need to v7.2.


However a router can route packets back out the same interface so you could


1) Change the default-gateway on your PC's to 192.168.40.253 ie. the 2801 router.

2) Add a default route on the 2801 pointing to the Pix


ip route 0.0.0.0 0.0.0.0 192.168.40.254


That way your clients will be able to route tto the 192.168.41.0 network and still be able to get out via the firewall.


There are other ways of achieving this but the above is probably the simplest.


HTH


Jon

donnie Mon, 03/10/2008 - 09:11
User Badges:

Hi Jon. Thank you for your explanation. Now i understand what actually happened. But can i check on how to upgrade my pix 515e ios from v6.3 to v7.0 ? Thks in advance.

Jon Marshall Mon, 03/10/2008 - 09:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you could upgrade to v7.x. You need a minimum of 128Mb to run v7.x so you may need a memory upgrade as well as most Pix 515E's i have seen only have 64Mb of memory.


Jon

Actions

This Discussion