PIX's ( and most firewalls except checkpoint and netscreen I think) Will
NOT send ICMP redirects. Newer versions of the PIX OS might let you
configure it, I am not sure. I haven't played with the newer versions
lately. Your options are have the host's default gateway point at a real
router and put a default static route in the router pointing at the PIX.
Or, put in network routes via a login script on all the hosts (ugly solution
if you ask me).
Firewalls are not routers. Even though they do some router fuctions.
Tony M.
#6172
----- Original Message -----
From: trammer
To:
Sent: Tuesday, July 10, 2001 9:26 PM
Subject: Pix not routing for Frame Spokes [7:11860]
> Don't let the subject mislead you in my intention but here is my situation
> if anyone would like to take a look.
>
> I've got multiple locations connected via frame coming into a 2610 @
> 10.1.1.5:
>
> 10.2.0.0
> 10.3.0.0
> 10.4.0.0
> 10.5.0.0
> 10.6.0.0
> 10.7.0.0
>
> The 2610's default route is to 10.1.1.1 which is obviously on the 10.1.0.0
> segment in the HQ through a pix to the internet. The clients at HQ, whos
> gateway is 10.1.1.1 need to occasionally access the spokes so I added
static
> routes in the Pix for each of the spokes. I am a firm beleiver in Cisco's
> products being a specific task oriented device (ie. pix>firewall, 3015 >
> VPN) and not to be used for anything different. I know the PIX is not
> designed to be a router but in this case I need get some input from others
> as to why the PIX is not bouncing requests for the spokes out the 2610
like
> a quote unquote "regular router" would.
>
> What happens is the PIX can ping to say for example the 10.1.1.17 which is
a
> Domain Controller in that site. But if I ping from a client or the DC in
HQ
> no luck. This is with the gateway of 10.1.1.1 assigned to the DC and or
> client. Also, when I do a show ip route I see only the outside and the
> inside IP addresses.
>
> Here is the config minus the Public's IP's and security info. The only
NAT
> pool is through a PAT and an access list is applied on the outside
interface
> to filter inbound traffic. Maybe I had a brainfart on something
> suggestions are appreciated:
>
>
> 0300-PIX-01# sh conf
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> <>
> hostname 0300-PIX-01
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 100 <>
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside <>
> ip address inside 10.1.1.1 255.255.0.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 <>
> nat (inside) 1 10.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp <> <>
> static (inside,outside) tcp <> <>
> <>
> <>
> access-group 100 in interface outside
>
> route outside 0.0.0.0 0.0.0.0 <> 1
>
> route inside 10.2.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.3.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.4.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.5.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.6.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.7.0.0 255.255.0.0 10.1.1.5 1
>
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> <>
> 0300-PIX-01#
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11887&t=11860
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
