Bob,
PIX won't do ICMP redirects. Either put the router between the user subnet
and the firewall or change DHCP to use the router as the DG and put a
default static on the router pointing at the PIX. The router will ICMP
redirect the hosts to the firewall. The other option is putting routes on
all the hosts (Ugly).
Personally, I hate using redirects. Inefficient. If your 2600 has two
ethernets, I would put it in series with the PIX. One happy gateway for
all !! Of course, this will require a lot more reconfiguration.
Tony M.
#6172
----- Original Message -----
From: "Bob Nawrocki"
To:
Sent: Saturday, August 25, 2001 9:29 AM
Subject: Pix Route issue [7:17242]
> We have a Pix firewall that is serving as a default gateway to the
Internet
> as well as providing ipsec tunnel connectivity to several remote offices
for
> serveral hosts on a subnet. On the same subnet we have a 2600 providing a
> point to point wan link. I added a route to the Pix on the inside
interface
> to point to the 2600 for the wan route. I am still not able to connect to
> that subnet unless i add a specific route on the hosts. When running
debug
> logging on the Pix I get the following output:
>
> 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst
> inside:10.112.3.3 (type 8, code 0)
>
> Any thoughts?
>
> Bob Nawrocki
> CCNP CCDP
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17250&t=17242
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
