Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Pix 506 and static routing on trusted interface

Hi,

I have recently buy one Cisco Pix 506.

Is more day I search to configure a static route in a internal interface but not works?

The internal interfaced is configured 192.168.1.2 255.255.255.0

The esternal interface is configured 85.x.162.194 255.255.255.248 default gateway is 85.x.162.193

My problem is made a static route for when at the internal interface arrive the request pachet IP in this range (192.168.0.0 255.255.255.0) the router send this pachet to a default gateway in the inside interface (Gateway 192.168.1.2 255.255.255.0)

I past this configuration for explain but not works L

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address inside 192.168.1.7 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.x.x.42.162.193 1

route inside 192.168.0.0 255.255.255.0 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.100 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxx

: end

pixfirewall(config)#

This configuration works, but in old Cisco 837 and no give me problem:

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip route 192.168.0.0 255.255.255.0 192.168.1.1

ip route 192.168.2.0 255.255.255.0 192.168.1.1

ip route 192.168.3.0 255.255.255.0 192.168.1.1

But whit this firewall non works?..

Please help me becouse I want implemente this firewall but no found a good configuration.

Thanks in advanced!

8 REPLIES

Re: Pix 506 and static routing on trusted interface

Hi,

Your ip address for the outside interface is missing. Is it a typo error?

Anyway, from where do you expect the network traffic destine for 192.168.0.0 255.255.255.0 originates/comes from? Is it coming from the inside interface itself, arrived at PIX inside interface (ethernet 0) and you expect PIX to send/route it to 192.168.1.1? This is based on your old C837 router config.

What is the router with IP of 192.168.1.1 routing configuration statement looks like that made it send the traffic (192.168.0.0/24) to 192.168.1.2? Can you post the config?

FYI, it is totally different when you used router to do routing compared to PIX. Router is intelligent to do routing, but not PIX, e.g redirecting traffic from an interface to another or other devices.

Rgds,

AK

New Member

Re: Pix 506 and static routing on trusted interface

For You is correct this observation????

I hope is not corret :-(

Thanks!

The PIX is not a router in the sense you want to use it.

"route inside ....... " will route packets coming from the outside to a

valid inside gateway,

but it will not reroute packets coming from the inside back to an inside

gateway.

So if your PC have the PIX as the default gateway , you cannot reroute some

packets to the

VPN concentrator. You will need either another router or a static route

on the PC.

Re: Pix 506 and static routing on trusted interface

I am trying to understand your question.

Where this network traffic destine for 192.168.0.0 255.255.255.0 originates/comes from?

Is it coming from the inside interface itself, arrived at PIX inside interface (ethernet 0) and you expect PIX to send/route it to 192.168.1.1?

Rgds,

AK

New Member

Re: Pix 506 and static routing on trusted interface

Hi,

sorry for my bad english...

The static route I wont works when a machine connect in a trusted zone of pix, call a IP in different subnet and for go to this subnet the statir route send the request to one internal trusted gateway example 192.168.1.1.

I hope you understand...

call to pix in a trusted, pix have a static ropute for a definite subnet and the trusted interface send the call to another default gateway.

Thanks in advanced!!!

New Member

Re: Pix 506 and static routing on trusted interface

Up Up Up

THANKS!

Re: Pix 506 and static routing on trusted interface

Is it solved/working now?

Rgds,

AK

New Member

Re: Pix 506 and static routing on trusted interface

NO :-(

But i have read in the manual of the command, ther eis one command for made a static route and is:

route and there is one example clear for undestand the static route:

route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1

But when i modifi this command for add at my router the router give me error...

Please help me :-(

Re: Pix 506 and static routing on trusted interface

You don't have a dmz.

Your observation is correct: the PIX will not redirect packets from the inside to the inside.

To get round this, use 192.168.1.1 (the internal router) as default gateway for all hosts on 192.168.1.x. Do not use the PIX as your default gateway.

246
Views
5
Helpful
8
Replies
CreatePlease to create content