Solved

Cisco Router Config

Posted on 2004-07-30
3
732 Views
Last Modified: 2010-03-17
We have a Cisco 2620 running IOS 12.1.2.  I have a question regarding the configuration that just doesn't make sense to me.  We have a firewall that is translating between 208.xxx.yyy.zzz and 192.xxx.yyy.zzz.  It has route statements for 192.168.x.0 pointing to the firewall 192.168.1.1.  My question is I know that the PIX can't route, which is why we need the router, but isn't the PIX routing if it's got statement routing?

=============pix routing============

outside 0.0.0.0 0.0.0.0 208.(gateway) 1 OTHER static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static
outside 208.(network) 255.255.254.0 208.( pix external) 1 CONNECT static

===========end pix routing=============

===============begin router config===========

Using 908 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
ip subnet-zero
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.4.1 255.255.255.0 secondary
 ip address 192.168.1.2 255.255.255.0
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.0
 no ip mroute-cache
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
snmp-server engineID local 00000009020000036B64C940
snmp-server community public RO
snmp-server packetsize 2048
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end

================end router config====================
0
Comment
Question by:carlosmp
3 Comments
 
LVL 3

Expert Comment

by:Jharper
ID: 11678959
In order for the PIX to do NAT translation between subnets it has to have the ability to route.  True, Cisco does say that it is not a router and it is not.   It only does very basic routing to provide proper firewall services.  When looking at a small office, the reason you need a router is provide termination for your Internet circuit. When looking at a larger office, a router gives you extra benefits like routing protocols and the ability to configure redundant circuits.  Does that answer your question?

Jharper
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11687660
Here's the thing.

A PIX does have to know routes back to an inside host. If the host is on a different subnet than its own interface, then it must forward to another router (in your case 192.168.1.1, but I don't see that ip as an interface on your 2600). Even though the PIX itself can talk to all those other subnets inside, it can't be used as the gateway for routing between subnets for hosts to talk to each other.

It appears that you have a "router-on-a-stick" with multiple subnets all on the same physical interface. This facilitates the routing between subnets, but I see some glaring issues:

Assuming the PIX inside interface is 192.168.1.1, the default route appears to point to the PIX, as it should
   ip route 0.0.0.0 0.0.0.0 192.168.1.1

However, the PIX is routing everything for those other subnets back to itself
   >inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static

These routes on the PIX should all point to 192.168.1.2, the IP address assigned to the router interface, i.e.
   route inside 192.168.2.0 255.255.255.0 192.168.1.2
   route inside 192.168.3.0 255.255.255.0 192.168.1.2
   route inside 192.168.4.0 255.255.255.0 192.168.1.2



0
 

Author Comment

by:carlosmp
ID: 11693314
That's what I thought, but I was told by someone who helped us configure the routers that the routes should point to the PIX, since they were secondary addresses.  Previously, the only purpose of the router was to terminate our Private line that we had between the datacenter and our previous office.  Since we moved almost a year ago, the cost of the private line tripled (mileage sensitive) so it's cheaper for us to have a T1 coming in from the outside...
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now