cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1503
Views
15
Helpful
29
Replies

route inside statement

insccisco
Level 1
Level 1

What does the 2nd statement means?

ip route 0.0.0.0 0.0.0.0 192.168.229.1

route inside 10.242.26.0 255.255.255.0 192.168.116.1 1

I know the first one tell the router to send all traffic destined to the internet to send it via 192.168.229.1, but the 2nd I have no clue

1 Accepted Solution

Accepted Solutions

If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.

HTH

Sundar

View solution in original post

29 Replies 29

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Is the second statement from a Pix/ASA firewall ?.

When you specify a route on the pix you tell it which interface to go out of as well as the destination network and next hop. So the above says

to get to network 10.242.26.0 go to 192.168.116.1. 192.168.116.1 is presumably a router ?

Jon

Jon, you assume well. I had forgotten to mention that this was indeed from a PIX, 7.2

So where does this apply to? I mean, does it apply to traffic coming from the inside? If an inside host sends traffic to a host on the 10.242.26.0 network, is the PIX going to send the traffic back to the inside interface and to the network?

Im a bit confused on that

It's not just inside interface rather any interface. PIX would route traffic destined to 10.242.26.0/24, doesn't matter which interface traffic arrived on, via inside interface to the next hop address of 192.168.116.1. The word inside in the route statement only tells the PIX the next hop is reachable via inside interface.

HTH

Sundar

but why we must tell the PIX about the physical interface? normally it can detect the physical interface by itself using ip routes from connected networks?

does this mean the next hop can be in a not directly connected network?

Sundar

Long time no see. Glad to have you back.

Jon

Jon,

Thanks buddy :-)

It got somewhat busy at work and I have also been putting in any spare time towards security lab preparation. Believe me it was quite hard to stay away from Netpro all this time.

I see you have been very active and providing great responses to fellow Netpros' queries. How's your lab preparation coming along?

Regards,

Sundar

Sundar

Well to be honest not brilliantly. I'm having to do a crash course in all things MPLS at the moment as we are potentially looking to deploy our own MPLS network so i need to get up to speed.

Trouble is i find MPLS very interesting so now i'm wondering if i should be looking at CCIE SP rather than R&S. And that just about sums me up really - i'll be retired before i finally decide which CCIE to take :-)

Hope you find the time to stick around now that your'e back.

Jon

I see. So in the statement "route inside 10.242.26.0 255.255.255.0 192.168.116.1 1", the word INSIDE is only there to tell the PIX that the next-hop IP address of 192.168.116.1 is located or perhaps can be reached via the Inside network... got it... great input Sundar.

Can this apply to remote client connections as well? obviously, they come in via the outside interface and they form the tunnel and can reach the inside network. So what if they want to reach the 10.242.26.0/24, will the PIX tell them to get there via 192.168.116.1? the cisco vpn client remote access setup in this PIX is currently set for split-tunnel

thanks in advance

If the PIX isn't configured with a split tunneling policy all traffic from the remote client would be sent through the tunnel to the PIX, that would include traffic to the 10.242.26.0/24 network. Instead, if split tunneling is configured the split tunneling policy needs to be modified on the PIX to tell the VPN client to send traffic to network 10.242.26.0/24 via the IPSEC tunnel.

HTH

Sundar

great.... Now I'm getting it. Sundar thank you for all the lecture and please excuse my simple and silly questions. I always want to be 300% sure before working and applying it to the real production environments

I will now apply these statements to the cisco vpn client remote access.

apie

Hi

Sundar has explained this perfectly. Only thing i would add is that before v7.x traffic could not be routed back out the interface it was received on. So let says you have an outside, dmz, and inside with the route in your example.

Traffic arrives from the outside destined for 10.242.26.x and is routed to 192.168.116.1 through the inside interface.

Same for dmz traffic destined for 10.242.26.x.

But if traffic arrives on the inside interface destined for 10.242.26.x then the pix needs to send that back out the inside

interface to 192.168.116.1.

Prior to version 7.x a pix could not do this. Now it can and with 7.2 it can do it with unencrypted traffic. It is a feature called hairpinning.

Jon

Hi Jon,

I'm having a problem with a Tunnel between a PIX-515E 6.3.4 and a PIX-525 7.2 and I think it might have to do with what you explained here.

Traffic comes from the PIX-525 (10.121.10.0) trying to reach the PIX-515E (192.168.30.0) but it can't be reached.

There is a L3 switch behind the PIX-515E where the 192.168.30.0 network resides.

There are 3 route statements in this 515E:

route inside 192.168.10.0 255.255.255.0 192.168.106.250 1

route inside 192.168.20.0 255.255.255.0 192.168.106.250 1

route inside 192.168.30.0 255.255.255.0 192.168.106.250 1

Based on this, will the traffic coming from the 525 network (10.121.10.0) be considered as trying to come out via the same interface where it came in from?

I can't get this tunnel up and I might be thinking that the 6.3 software version might have something to do with this.

thanks in advanced

From what you have described no i don't think that is the issue. The traffic from the 525 should come down the tunnel through the outside interface of the 515E and then get routed out the inside to next hop 192.168.106.250. Return traffic will go back via the inside interface and down the tunnel.

This is fine and normal traffic flow. So i think it is something else.

Does the L3 switch know to route the 10.121.10.0 network back to the pix inside interface ?

Jon

Then I have no clue why the tunnel will not come up :(

The IP address of the inside interface of the 515E is 192.168.106.100.

This inside interface connects to the L3 switch. In this switch, there are the following route statements:

ip route 0.0.0.0 0.0.0.0 192.168.106.100

ip route 10.121.10.0 255.255.255.0 192.168.106.100

ip route 10.10.161.0 255.255.255.0 192.168.106.246

...

...

So I assume these lines are telling the L3 switch where to send traffic destined for the 10.121.10.0 network.

I have the same setup at the other end of the tunnel (the 525 PIX side)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: