Re: PIX 7.2 and HSRP

jskelley · ‎07-06-2006

Hi

I upgraded a PIX515E today from 7.0 to 7.2. It solved the problem I had but now I can not ping or route via the internal LAN HSRP address.

To get around this I have had to add the routes twice via the two internal routers actual interfaces with different metrics - which I can ping and route via.

If I look in the ARP table on the PIX I can see the HSRP address and a full MAC but can not ping or route via it.

I have done a ICMP trace on the PIX and can see the packet leaving but not coming back, I can not trace on the internal routers in production.

Has anyone seen this before?

Many thanks.

J

a.kiprawih · ‎07-13-2006

Hi,

How's the connection from the two hsrp routers to PIX? (y idea is based on your input here..

Since the routers are running HSRP, both of the fastethernet interfaces facing the PIX should be connected to a hub or switch (in same Vlan).

Connect your PIX inside interface to the same hub/switch (same Vlan).

The route inside in PIX should point to HSRP virtual IP, not physical IP on each router interfaces. This allows PIX to 'see' only 1 IP to represent the two routers, as the routers logically exists only as single router to PIX. On the router, set the default route (or specific route) to PIX inside interface.

Internet -> router <--> outside: PIX : inside -> hub/switch <- HSRP virtual IP : routers ->

Is there any other info that might help us on your current setup?

Rgds,

AK