[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 762
  • Last Modified:

Cisco Router Config

We have a Cisco 2620 running IOS 12.1.2.  I have a question regarding the configuration that just doesn't make sense to me.  We have a firewall that is translating between 208.xxx.yyy.zzz and 192.xxx.yyy.zzz.  It has route statements for 192.168.x.0 pointing to the firewall 192.168.1.1.  My question is I know that the PIX can't route, which is why we need the router, but isn't the PIX routing if it's got statement routing?

=============pix routing============

outside 0.0.0.0 0.0.0.0 208.(gateway) 1 OTHER static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static
outside 208.(network) 255.255.254.0 208.( pix external) 1 CONNECT static

===========end pix routing=============

===============begin router config===========

Using 908 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
ip subnet-zero
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.4.1 255.255.255.0 secondary
 ip address 192.168.1.2 255.255.255.0
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.0
 no ip mroute-cache
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
snmp-server engineID local 00000009020000036B64C940
snmp-server community public RO
snmp-server packetsize 2048
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end

================end router config====================
0
carlosmp
Asked:
carlosmp
1 Solution
 
JharperCommented:
In order for the PIX to do NAT translation between subnets it has to have the ability to route.  True, Cisco does say that it is not a router and it is not.   It only does very basic routing to provide proper firewall services.  When looking at a small office, the reason you need a router is provide termination for your Internet circuit. When looking at a larger office, a router gives you extra benefits like routing protocols and the ability to configure redundant circuits.  Does that answer your question?

Jharper
0
 
lrmooreCommented:
Here's the thing.

A PIX does have to know routes back to an inside host. If the host is on a different subnet than its own interface, then it must forward to another router (in your case 192.168.1.1, but I don't see that ip as an interface on your 2600). Even though the PIX itself can talk to all those other subnets inside, it can't be used as the gateway for routing between subnets for hosts to talk to each other.

It appears that you have a "router-on-a-stick" with multiple subnets all on the same physical interface. This facilitates the routing between subnets, but I see some glaring issues:

Assuming the PIX inside interface is 192.168.1.1, the default route appears to point to the PIX, as it should
   ip route 0.0.0.0 0.0.0.0 192.168.1.1

However, the PIX is routing everything for those other subnets back to itself
   >inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static

These routes on the PIX should all point to 192.168.1.2, the IP address assigned to the router interface, i.e.
   route inside 192.168.2.0 255.255.255.0 192.168.1.2
   route inside 192.168.3.0 255.255.255.0 192.168.1.2
   route inside 192.168.4.0 255.255.255.0 192.168.1.2



0
 
carlosmpAuthor Commented:
That's what I thought, but I was told by someone who helped us configure the routers that the routes should point to the PIX, since they were secondary addresses.  Previously, the only purpose of the router was to terminate our Private line that we had between the datacenter and our previous office.  Since we moved almost a year ago, the cost of the private line tripled (mileage sensitive) so it's cheaper for us to have a T1 coming in from the outside...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now