10-19-2006 02:19 PM - edited 03-09-2019 04:36 PM
is it always a good practice to have a route for the directly connected int or is it a must?
10-19-2006 03:56 PM
Routing depends on your network setup/connectivity.
You can have it (static or via OSPF/RIP) to ensure the remote network across another L3 device(s) that connected to PIX is reachable as well.
For simple setup like inside connect to inside switch (flat Vlan), no route is required. Same goes to other interfaces like DMZ, except for outside where you need to have a default or static route to your internet router.
For such simple setup, if you issue command 'sh route', you will see this automated route entry built by PIX.
But if you need to ensure communication from one segment to another, and need to pass through or hosted on another L3 device (i.e internal router), then a route is a must.
So, whether it is a good practice or a must,
it depends on your network setup.
HTH
AK
10-19-2006 05:46 PM
say if it's between dmz to inside...then...
10-19-2006 05:35 PM
As soon as you give an ip address and mask to an interface and do a no shut on it, a route will be created for the network address.
10-19-2006 07:56 PM
For DMZ to inside (or vice-versa), PIX will create the route automatically. Make sure interfaces are up. This happened without having to have address translation between the segment (but translation or no NAT is required later in order to allow hosts in both segments to talk to each other).
But this is for directly connected interface only, not including segment behind L3 device in DMZ or inside segment.
HTH
AK
10-20-2006 11:28 AM
ok but why do we configure route for all inside hosts say like route inside
10-20-2006 04:51 PM
We don't need to do that, and not even required. PIX will generate it automatically.
Example, if this is your IP Addresses looks like:
ip address outside 10.1.1.1 255.255.255.0
ip address inside 10.0.0.2 255.255.255.224
ip address DMZ 172.16.5.10 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.1.1.254 --> * default route to internet router
Then, PIX will create automatic route to its respective interfaces:
pixfirewall(config)# sh route
outside 0.0.0.0 0.0.0.0 10.1.1.254 1 OTHER static ---> tied to the default route (see *)
inside 10.0.0.0 255.255.255.224 10.0.0.2 1 CONNECT static --> auto-generated by PIX
outside 10.1.1.0 255.255.255.0 10.1.1.1 1 CONNECT static --> auto-generated by PIX
DMZ 172.16.5.0 255.255.255.0 172.16.5.10 1 CONNECT static --> auto-generated by PIX
pixfirewall(config)#
Even if you try to add it (except default route to internet router), PIX will reject it (route already exists).
HTH
AK
10-20-2006 06:03 PM
You only need that if you have another L3 device (switch/router) hosting another segment:
outside, subnet x <--> PIX <--> Inside (ip yy.yy.yy.1/24 <--> FE0/0 (ip yy.yy.yy.2/24) <-->Router <--> FE0/1 (ip zz.zz.zz.1/24)
Then only you need to add the following in your pix:
route inside zz.zz.zz.0 255.255.255.0 yy.yy.yy.2 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide