Im not familiar with the PIX firewall, but a very good client of mine has a PIX 515e firewall which is controlled by her headquarter's IT staff. They have a 3COM (sorry, its old) router routing between two networks. On the one subnet is the PIX firewall that has two interfaces, one is for the local LAN and the other is the public which is connected to a Cisco 1720 for the Internet. The 3COM is set to forward packets to the PIX if its not in its routing table (default gateway or you could say gateway of last resort). The PIX is setup with one public IP address on the WAN side and a private IP on the LAN. The PIX is configured to do NAT for the LAN.
The IT staff cannot get the PIX to be a default gateway for the LAN; they have the servers and workstations pointing to the local LAN interface of the 3COM router as a default gateway in which the 3COM forwards the packets to the PIX and they eventually go out thru the PIX.
They state that the correct configuration is to have the servers and workstations send traffic to the 3COM router interface as their default gateway which will then forward them to he PIX if it's not local traffic; lets say Internet.
I don't believe that the PIX cannot be the default gateway. As a CCNA working on a CCNP Im positive a PIX can be setup as a default gateway, but I could be wrong. I would like to know if the PIX can be a default gateway as most other firewall and routers can and what is a possible cause and solution.
You are correct, in that a PIX can be used as a default gateway, but it is ALWAYS a good idea to have a LAN router forward all internet traffic to the PIX to handle as the PIX (as you know) is NOT a router, imagine this, if all clients are pointing to the PIX as default gateway and if the PIX falls over, then you've lost all conectivity to the outside world BUT if you have a router on the inside then if the PIX does fall over, you'll have the option of routing all traffic to a standby unit. The times when you want to use the PIX as a gateway is when you're having problems with internet traffic, i.e. point default gateway of a internal client to the inside interface of the PIX and see if you can browse the internet - troubleshooting.
Thanks for the reply. Failover is not an issue since it's two networks and there is another router (3COM, sorry again)routing those networks. Are biggest concern for making the PIX the default gateway is to use a Sonicwall on the LAN side for DHCP and Content filtering and logging. I know the PIX can handle these tasks but costs and administration warranted anohter device. Currently if we have the workstations and servers use the PIX as the default gateway the traffic won't pass and unless the PIX is the default gateway we can't configure the Sonicwall to do what we want.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...