I have a network with a PIX and Router to an ISP. The default gateway on my network is the inside port on the PIX. I'd like to add a second router to my network that will be used to connect to a remote office. How do I direct traffic to that router? I assume, since the PIX is the default gateway, that I need to configure the PIX to redirect traffic to the second router. Is that correct? What commands should I use?
I'm not too familiar with PIX, but I do have a similar setup with Cisco Routers and a Checkpoint firewall.
I have four interfaces on my firewall, one external and three "internal". My external interface is connected to my Cisco border router going out to my ISP's.
I have another Cisco 2501 router going to a remote office using ISDN. This is connected to one of my "internal" interfaces. The "internal" interface of the firewall is configure with an ip address of say, 10.0.0.1 with /24. The 2501 has an IP in that range, say 10.0.0.2.
The firewall has GUI client where I can put in a static route of that IP block 10.0.0.0/24 routing to the interface of the 2501 (10.0.0.2).
Hope that helps.
You can create static entry for remote network on your first router , in configuration mode command
ip route 10.2.0.0 255.255.0.0 10.1.0.2
10.2.0.0 is remote office network address
255.255.0.0 is remote office address mask
10.1.0.2 is ip address of LAN port of your second router
you have to configure second router also, one static entry for remote network, another for default route.
The problem I'm having is that the PIX does NAT and so does Router1. So Router1 doesn't know about Router2. The PIX and Router2 are on 192.168.1.z and the PIX translates to 10.1.0.z then Router1 translates to real-world IP.
Can the PIX re-direct traffic back to the 192.168.1.z network?
no, the pix can't reroute traffic back the same interface.
Where do you want to place your 2nd router ?
is it :
|-R1 ---- pix ---- R2 ---- ISP
for the first case, you need to take the ip address of the pix inside address and configure it on the router. You then another segment of ip for the connection router1 - pix.
My current configuration is:
I don't own R2 so I do not have the ability to replace or repair it quickly so I did not want to include it in the path to the internet. R1-pix-R2
If R2 dies on me, I don't want to lose my internet connection. How do I get traffic to go to R2?
The PIX Firewall does not send ICMP redirects messages that would redirect PC traffic bound for the remote site to R2. If you don't own and manage R2 it could be considered a security threat. Therefore your solution might be to connect R2 to a separate interface on your PIX and configure the appropriate conduits for remote site traffic to enter the network. The PIX would then be able remain the default gateway on your network and direct traffic to the remote site.
I have a network with four routers on the LAN and I designated one of them as "boss" router. It has a default router to the inside port of the PIX. Everything else gets static routed. The "boss" router is not the one that connects to the internet behind the PIX. It's the one that connects my private network together. Hope this helps.
If possible, what I would do is take the inside address of the pix (default gateway) and put that on the corporate router ethernet interface. Then, in the corporate router put a default route of 0.0.0.0 0.0.0.0 to the new pix inside interface address. Any address the corporate router does'nt know about will be directed to the pix.