Default Gateway

Unanswered Question
Jan 6th, 2009


I have a Cisco 1700 series router and a PIX 506 configured on the network. Both devices have interfaces directly connected to the LAN and WAN.

Although I would like to configure the PIX as the default gateway I am unable to due to the fact that there are routes on the 1700 router that wouldn't be accessible to the clients (same interface traffic on the PIX etc). But at the same time I would like all internet traffic to pass via the pix and the GRE VPN tunnel traffic to pass via the router. The CPU utilisation is often quite high on the router due to the GRE VPN traffic, which is why I want to avoid passing general internet traffic through it.

I have configured the router as the defatlt gateway, however, I have changed the default route on the router to use the PIX. My question is this, is there a performance issue with this setup? My understanding of this is that the router should send an ICMP redirect for all the internet traffic which should then pass via the PIX? If the router is running particularly slow, is this setup going to impact general internet traffic?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Tue, 01/06/2009 - 02:49

Hello Al,

I would change the configuration on the device that is more internal:

default route pointing to pix

a PBR rule that redirects GRE traffic to the 1700 router

access-list 112 permit gre any any

route-map divert_GRE permit 10

match ip address 112

set ip next-hop c1700.lan.ipaddr

applied on the internal interface of the the device inside

int vlan 10

ip policy route-map divert_GRE

because it works on inbound packets

Current settngs have an impact in CPU of 1700 and it is not a good thing being already high for GRE traffic handling.

Hope to help


alraycisco Tue, 01/06/2009 - 03:00


Thanks for the post. Both devices are equal in terms of their position on the network i.e. both have interfaces that are directly connected to the LAN & WAN, and I was hoping to keep things that way.

With your suggestion, there is still the issue of, if the PIX is the default gateway then clients won't be bale to get to hosts that are in the routing table of the router.


Giuseppe Larosa Tue, 01/06/2009 - 04:37

Hello Al,

being the most specific route used first you could add some static routes for the hosts to be reached via the C1700.

In this way you can avoid all the icmp redirect overhead.

But this can work if there is a network device internal that faces the pair C1700 and PIX.

Doing this on lan clients can be long and boring.

If the hosts to be reached are within RFC1918 (private ip addresses) you can also make static routes for the private address range of use pointing to the C1700.

I also think that the suggestion of PBR cannot work if GRE tunnels start from the C1700 so my first post cannot apply to your scenario.

Hope to help



This Discussion