Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco Router Config

Posted on 2004-07-30
3
742 Views
Last Modified: 2010-03-17
We have a Cisco 2620 running IOS 12.1.2.  I have a question regarding the configuration that just doesn't make sense to me.  We have a firewall that is translating between 208.xxx.yyy.zzz and 192.xxx.yyy.zzz.  It has route statements for 192.168.x.0 pointing to the firewall 192.168.1.1.  My question is I know that the PIX can't route, which is why we need the router, but isn't the PIX routing if it's got statement routing?

=============pix routing============

outside 0.0.0.0 0.0.0.0 208.(gateway) 1 OTHER static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static
outside 208.(network) 255.255.254.0 208.( pix external) 1 CONNECT static

===========end pix routing=============

===============begin router config===========

Using 908 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
ip subnet-zero
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.4.1 255.255.255.0 secondary
 ip address 192.168.1.2 255.255.255.0
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.0
 no ip mroute-cache
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
snmp-server engineID local 00000009020000036B64C940
snmp-server community public RO
snmp-server packetsize 2048
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end

================end router config====================
0
Comment
Question by:carlosmp
3 Comments
 
LVL 3

Expert Comment

by:Jharper
ID: 11678959
In order for the PIX to do NAT translation between subnets it has to have the ability to route.  True, Cisco does say that it is not a router and it is not.   It only does very basic routing to provide proper firewall services.  When looking at a small office, the reason you need a router is provide termination for your Internet circuit. When looking at a larger office, a router gives you extra benefits like routing protocols and the ability to configure redundant circuits.  Does that answer your question?

Jharper
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11687660
Here's the thing.

A PIX does have to know routes back to an inside host. If the host is on a different subnet than its own interface, then it must forward to another router (in your case 192.168.1.1, but I don't see that ip as an interface on your 2600). Even though the PIX itself can talk to all those other subnets inside, it can't be used as the gateway for routing between subnets for hosts to talk to each other.

It appears that you have a "router-on-a-stick" with multiple subnets all on the same physical interface. This facilitates the routing between subnets, but I see some glaring issues:

Assuming the PIX inside interface is 192.168.1.1, the default route appears to point to the PIX, as it should
   ip route 0.0.0.0 0.0.0.0 192.168.1.1

However, the PIX is routing everything for those other subnets back to itself
   >inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static

These routes on the PIX should all point to 192.168.1.2, the IP address assigned to the router interface, i.e.
   route inside 192.168.2.0 255.255.255.0 192.168.1.2
   route inside 192.168.3.0 255.255.255.0 192.168.1.2
   route inside 192.168.4.0 255.255.255.0 192.168.1.2



0
 

Author Comment

by:carlosmp
ID: 11693314
That's what I thought, but I was told by someone who helped us configure the routers that the routes should point to the PIX, since they were secondary addresses.  Previously, the only purpose of the router was to terminate our Private line that we had between the datacenter and our previous office.  Since we moved almost a year ago, the cost of the private line tripled (mileage sensitive) so it's cheaper for us to have a T1 coming in from the outside...
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question