03-15-2008 12:50 AM - edited 03-05-2019 09:46 PM
What does the 2nd statement means?
ip route 0.0.0.0 0.0.0.0 192.168.229.1
route inside 10.242.26.0 255.255.255.0 192.168.116.1 1
I know the first one tell the router to send all traffic destined to the internet to send it via 192.168.229.1, but the 2nd I have no clue
Solved! Go to Solution.
03-16-2008 03:50 PM
If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.
HTH
Sundar
03-15-2008 01:02 AM
Hi
Is the second statement from a Pix/ASA firewall ?.
When you specify a route on the pix you tell it which interface to go out of as well as the destination network and next hop. So the above says
to get to network 10.242.26.0 go to 192.168.116.1. 192.168.116.1 is presumably a router ?
Jon
03-16-2008 09:22 AM
Jon, you assume well. I had forgotten to mention that this was indeed from a PIX, 7.2
So where does this apply to? I mean, does it apply to traffic coming from the inside? If an inside host sends traffic to a host on the 10.242.26.0 network, is the PIX going to send the traffic back to the inside interface and to the network?
Im a bit confused on that
03-16-2008 10:01 AM
It's not just inside interface rather any interface. PIX would route traffic destined to 10.242.26.0/24, doesn't matter which interface traffic arrived on, via inside interface to the next hop address of 192.168.116.1. The word inside in the route statement only tells the PIX the next hop is reachable via inside interface.
HTH
Sundar
03-16-2008 11:00 AM
but why we must tell the PIX about the physical interface? normally it can detect the physical interface by itself using ip routes from connected networks?
does this mean the next hop can be in a not directly connected network?
03-16-2008 11:54 AM
Sundar
Long time no see. Glad to have you back.
Jon
03-16-2008 04:12 PM
Jon,
Thanks buddy :-)
It got somewhat busy at work and I have also been putting in any spare time towards security lab preparation. Believe me it was quite hard to stay away from Netpro all this time.
I see you have been very active and providing great responses to fellow Netpros' queries. How's your lab preparation coming along?
Regards,
Sundar
03-17-2008 12:32 AM
Sundar
Well to be honest not brilliantly. I'm having to do a crash course in all things MPLS at the moment as we are potentially looking to deploy our own MPLS network so i need to get up to speed.
Trouble is i find MPLS very interesting so now i'm wondering if i should be looking at CCIE SP rather than R&S. And that just about sums me up really - i'll be retired before i finally decide which CCIE to take :-)
Hope you find the time to stick around now that your'e back.
Jon
03-16-2008 01:18 PM
I see. So in the statement "route inside 10.242.26.0 255.255.255.0 192.168.116.1 1", the word INSIDE is only there to tell the PIX that the next-hop IP address of 192.168.116.1 is located or perhaps can be reached via the Inside network... got it... great input Sundar.
Can this apply to remote client connections as well? obviously, they come in via the outside interface and they form the tunnel and can reach the inside network. So what if they want to reach the 10.242.26.0/24, will the PIX tell them to get there via 192.168.116.1? the cisco vpn client remote access setup in this PIX is currently set for split-tunnel
thanks in advance
03-16-2008 03:50 PM
If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.
HTH
Sundar
03-16-2008 07:51 PM
great.... Now I'm getting it. Sundar thank you for all the lecture and please excuse my simple and silly questions. I always want to be 300% sure before working and applying it to the real production environments
I will now apply these statements to the cisco vpn client remote access.
apie
03-16-2008 12:05 PM
Hi
Sundar has explained this perfectly. Only thing i would add is that before v7.x traffic could not be routed back out the interface it was received on. So let says you have an outside, dmz, and inside with the route in your example.
Traffic arrives from the outside destined for 10.242.26.x and is routed to 192.168.116.1 through the inside interface.
Same for dmz traffic destined for 10.242.26.x.
But if traffic arrives on the inside interface destined for 10.242.26.x then the pix needs to send that back out the inside
interface to 192.168.116.1.
Prior to version 7.x a pix could not do this. Now it can and with 7.2 it can do it with unencrypted traffic. It is a feature called hairpinning.
Jon
04-14-2008 10:47 AM
Hi Jon,
I'm having a problem with a Tunnel between a PIX-515E 6.3.4 and a PIX-525 7.2 and I think it might have to do with what you explained here.
Traffic comes from the PIX-525 (10.121.10.0) trying to reach the PIX-515E (192.168.30.0) but it can't be reached.
There is a L3 switch behind the PIX-515E where the 192.168.30.0 network resides.
There are 3 route statements in this 515E:
route inside 192.168.10.0 255.255.255.0 192.168.106.250 1
route inside 192.168.20.0 255.255.255.0 192.168.106.250 1
route inside 192.168.30.0 255.255.255.0 192.168.106.250 1
Based on this, will the traffic coming from the 525 network (10.121.10.0) be considered as trying to come out via the same interface where it came in from?
I can't get this tunnel up and I might be thinking that the 6.3 software version might have something to do with this.
thanks in advanced
04-14-2008 10:55 AM
From what you have described no i don't think that is the issue. The traffic from the 525 should come down the tunnel through the outside interface of the 515E and then get routed out the inside to next hop 192.168.106.250. Return traffic will go back via the inside interface and down the tunnel.
This is fine and normal traffic flow. So i think it is something else.
Does the L3 switch know to route the 10.121.10.0 network back to the pix inside interface ?
Jon
04-14-2008 11:05 AM
Then I have no clue why the tunnel will not come up :(
The IP address of the inside interface of the 515E is 192.168.106.100.
This inside interface connects to the L3 switch. In this switch, there are the following route statements:
ip route 0.0.0.0 0.0.0.0 192.168.106.100
ip route 10.121.10.0 255.255.255.0 192.168.106.100
ip route 10.10.161.0 255.255.255.0 192.168.106.246
...
...
So I assume these lines are telling the L3 switch where to send traffic destined for the 10.121.10.0 network.
I have the same setup at the other end of the tunnel (the 525 PIX side)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide