Not only that, but the PIX doesn't return traffic out the same interface it
received it in on.
-----Original Message-----
From: Tony Medeiros [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 1:33 AM
To: [EMAIL PROTECTED]
Subject: Re: Pix not routing for Frame Spokes [7:11860]
PIX's ( and most firewalls except checkpoint and netscreen I think) Will
NOT send ICMP redirects. Newer versions of the PIX OS might let you
configure it, I am not sure. I haven't played with the newer versions
lately. Your options are have the host's default gateway point at a real
router and put a default static route in the router pointing at the PIX.
Or, put in network routes via a login script on all the hosts (ugly solution
if you ask me).
Firewalls are not routers. Even though they do some router fuctions.
Tony M.
#6172
----- Original Message -----
From: trammer
To:
Sent: Tuesday, July 10, 2001 9:26 PM
Subject: Pix not routing for Frame Spokes [7:11860]
> Don't let the subject mislead you in my intention but here is my situation
> if anyone would like to take a look.
>
> I've got multiple locations connected via frame coming into a 2610 @
> 10.1.1.5:
>
> 10.2.0.0
> 10.3.0.0
> 10.4.0.0
> 10.5.0.0
> 10.6.0.0
> 10.7.0.0
>
> The 2610's default route is to 10.1.1.1 which is obviously on the 10.1.0.0
> segment in the HQ through a pix to the internet. The clients at HQ, whos
> gateway is 10.1.1.1 need to occasionally access the spokes so I added
static
> routes in the Pix for each of the spokes. I am a firm beleiver in Cisco's
> products being a specific task oriented device (ie. pix>firewall, 3015 >
> VPN) and not to be used for anything different. I know the PIX is not
> designed to be a router but in this case I need get some input from others
> as to why the PIX is not bouncing requests for the spokes out the 2610
like
> a quote unquote "regular router" would.
>
> What happens is the PIX can ping to say for example the 10.1.1.17 which is
a
> Domain Controller in that site. But if I ping from a client or the DC in
HQ
> no luck. This is with the gateway of 10.1.1.1 assigned to the DC and or
> client. Also, when I do a show ip route I see only the outside and the
> inside IP addresses.
>
> Here is the config minus the Public's IP's and security info. The only
NAT
> pool is through a PAT and an access list is applied on the outside
interface
> to filter inbound traffic. Maybe I had a brainfart on something
> suggestions are appreciated:
>
>
> 0300-PIX-01# sh conf
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> <>
> hostname 0300-PIX-01
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 100 <>
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside <>
> ip address inside 10.1.1.1 255.255.0.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 <>
> nat (inside) 1 10.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp <> <>
> static (inside,outside) tcp <> <>
> <>
> <>
> access-group 100 in interface outside
>
> route outside 0.0.0.0 0.0.0.0 <> 1
>
> route inside 10.2.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.3.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.4.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.5.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.6.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.7.0.0 255.255.0.0 10.1.1.5 1
>
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> <>
> 0300-PIX-01#
Privileged/Confidential Information may be contained in this message or
attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11969&t=11860
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
