I have a PIX 506 for my Internet firewall and also a Cisco 1600 to connect a remote office to the corporate LAN. In order for the corporate users to see the remote LAN, I have to set their defualt gateway to the 1600 router. Then on the 1600 router I have static routes for the remote LAN & a default gateway to the PIX.
I tried to set it up so the PIX was the default gateway and put route statements on it so traffic destined for the remote LAN would be sent to the 1600 router, but I could not get it to work.
Am I trying to get the PIX to do something it is not capable of? It would seem to be a better solution to have the PIX as the default gateway for everything.
I had a similar issue a yearago with Checkpoint. I think this is a routing requirement. If there is a router between your host and your firewall then the default gateway must be the router. The default route in the router must be to the firewall to allow all traffic through. I would recommend turning on debug icmp trace to monitor pings through the firewall. Test ping from the hosts on each subnet, the firewall, and the router. I would also start logging buffered debugging for syslog and check for denied connections.
The problem is that you are trying to get the PIX to do routing of a packet in and out of the same interface. It can only route between interfaces. This is built into the PIX as a security rule. So you will need to make your 1600 the default router for your user to make your network work.
If i understand your configuration, you have a Cisco 1600 connected directly to your corporate network, internal to your PIX, for remote connection purpose.
Suppose it's like this. If an internal user try to send a packet to their static default gateway (the Ciso 1600) with a destination for the external network (probably the Internet), then your Cisco 1600 will redirect the first packet correctly to the PIX and he will sends a ICMP redirect to the sending host indicating that the PIX is a better route for this destination. This means, the second packet and the following ones will be send directly from the host to the PIX. Of course, your PIX must be configure for this. It's probaly a reason why your internal user can't reach the Internet.
Is your remote users can reach the Internet?
Hi if you want to use the pix acting as default Router you must give a static route on the insideinterface to the 1600. This config is not like the Classic Router (one static routing tabel) - you must map it to the insideinterface.
I'm in the same situation, I would like to make my PIX the default gateway (act like a router) for my PCs, but have the PIX route it to another device if the destination is not to the Internet. I tried to put a:
route inside 10.30.17.0 255.0.0.0 10.30.50.1 1
but this does not seem to work.
when you get a solution, can you post it on this forum.
Thanks a lot
Thank you, those other explanations are bogus. Yes, it does SEEM like this should work but I am in your same situation. I have the exact same setup and have put the routes in the PIX with no change in the problem. When I point my internal users to the internal router going to the other network it works. I need a solution too.
If I understand correctly, you have a PIX that provides Internet access. You also have a 1600, that is your core inside router, that provides access to your remote office.
To properly setup your network so that hosts on the internal LAN can communicate with both the remote office and also have access to the Internet, you should have:
1) All hosts on your internal network having their default gateway pointed at the 1600.
2) The 1600 should have static routes to the remote office.
3) The 1600 should have it's default route pointing to the inside interface of the PIX
4) The PIX should have it's default route pointing to your gateway (perimeter/Internet) router.
5) The PIX should have an inside route that points to all the static routes that are in the 1600.
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 10.x.x.x. 255.255.255.0 10.10.1.1
ip address inside 10.10.1.2
- 10.x.x.x is the subnet for the remote office
- x.x.x.x is the ethernet interface of your Internet router
- 10.10.1.1 is the ethernet ip of the 1600
- point there default gateway to 10.10.1.1
- points its default gateway to 10.10.1.2
- has a static route to 10.x.x.x
That is the way it is set up. I was just wondering if there was a way to make the PIX the defualt gateway for the local users instead of the 1600. But if I understand it right, the PIX cannot route out the interface it received the packet.
1) You don't want to make the PIX the default gateway for your hosts on your internal LAN, because as you mentioned, the PIX can't route backout the inside interface.
2) Your configuration sounds like it's correct. Now just enable:
logging buffered debugging
Then when you have a problem with the PIX not passing desired traffic, do a show log and see what the PIX tells you. If the traffic is not reaching the PIX, then go back to your core inside router.
You can have the PIX as your default gateway if you had a 3 legged PIX -- therefore, you may need to purchase another port. Inside (internal), outside (Internet), DMZ(Corp. network). This may be the easiest way to do it.
the pix can´t be a defualt gateway, because it talk RIP and your Router talk eigrp, so is better to used a router(172.21.100.254) as a defualt gateway an then used in that router, ip router 0.0.0.0 0.0.0.0 x.x.x.x(pix inside interface address)to redirect all traffic to the pix!
ip address inside 172.21.100.253 255.255.255.0
route inside 22.214.171.124 255.0.0.0 172.21.100.254 2
The PIX is not a router, and therfore can NOT perform any routing fuctions. You can add static routes pointing to any address within the same subnet of the Internal interface of the PIX. For example if the Inside Interface had an IP address of 172.24.128.254 with a mask of 255.255.255.0 and you want to add a route to a 172.24.224.254, it will not work. However anything on the 172.24.128.0 subnet is free game.
I 100% agree with this , i have smae configuration working here, but i have a little addon in this discussion.
If your 1600 Router has a serial connection to remote offices etc... you have to set "no ip redirects" on the LAN interface of this default Router.
I had problems without setting "no ip redirects" because in the case the serial line fell down, the Router (in this case the 1600 Router) sent a ICMP Redirect to the host which wanted to reach the remote office , and if the serial line came up again he he wasnt able to reach the remote office tho. (only after reboot all worked again).
No problems now with "no ip redirects" enabled. :)
But this is no firewall problem even, just routing.
The issue that you are having is one of ICMP redirection. I believe that the PIX doesnt support ICMP redirect (see reference below). Given this fact there are two solutions:-
1 - Install static route in all corporate clients that routes remote office network traffic to 1600 and set their default to PIX
2 - Setup as you have already done. Default to 1600 and let 1600 redirect internet traffic to PIX. The only issue with this solution is that if the 1600 is unavailable for any reason users cannot access internet.
Hope this help