?
Solved

Cisco Router Config

Posted on 2004-07-30
3
Medium Priority
?
748 Views
Last Modified: 2010-03-17
We have a Cisco 2620 running IOS 12.1.2.  I have a question regarding the configuration that just doesn't make sense to me.  We have a firewall that is translating between 208.xxx.yyy.zzz and 192.xxx.yyy.zzz.  It has route statements for 192.168.x.0 pointing to the firewall 192.168.1.1.  My question is I know that the PIX can't route, which is why we need the router, but isn't the PIX routing if it's got statement routing?

=============pix routing============

outside 0.0.0.0 0.0.0.0 208.(gateway) 1 OTHER static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static
outside 208.(network) 255.255.254.0 208.( pix external) 1 CONNECT static

===========end pix routing=============

===============begin router config===========

Using 908 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
ip subnet-zero
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.4.1 255.255.255.0 secondary
 ip address 192.168.1.2 255.255.255.0
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.0
 no ip mroute-cache
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
snmp-server engineID local 00000009020000036B64C940
snmp-server community public RO
snmp-server packetsize 2048
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end

================end router config====================
0
Comment
Question by:carlosmp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:Jharper
ID: 11678959
In order for the PIX to do NAT translation between subnets it has to have the ability to route.  True, Cisco does say that it is not a router and it is not.   It only does very basic routing to provide proper firewall services.  When looking at a small office, the reason you need a router is provide termination for your Internet circuit. When looking at a larger office, a router gives you extra benefits like routing protocols and the ability to configure redundant circuits.  Does that answer your question?

Jharper
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11687660
Here's the thing.

A PIX does have to know routes back to an inside host. If the host is on a different subnet than its own interface, then it must forward to another router (in your case 192.168.1.1, but I don't see that ip as an interface on your 2600). Even though the PIX itself can talk to all those other subnets inside, it can't be used as the gateway for routing between subnets for hosts to talk to each other.

It appears that you have a "router-on-a-stick" with multiple subnets all on the same physical interface. This facilitates the routing between subnets, but I see some glaring issues:

Assuming the PIX inside interface is 192.168.1.1, the default route appears to point to the PIX, as it should
   ip route 0.0.0.0 0.0.0.0 192.168.1.1

However, the PIX is routing everything for those other subnets back to itself
   >inside 192.168.2.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.3.0 255.255.255.0 192.168.1.1 1 OTHER static
   >inside 192.168.4.0 255.255.255.0 192.168.1.1 1 OTHER static

These routes on the PIX should all point to 192.168.1.2, the IP address assigned to the router interface, i.e.
   route inside 192.168.2.0 255.255.255.0 192.168.1.2
   route inside 192.168.3.0 255.255.255.0 192.168.1.2
   route inside 192.168.4.0 255.255.255.0 192.168.1.2



0
 

Author Comment

by:carlosmp
ID: 11693314
That's what I thought, but I was told by someone who helped us configure the routers that the routes should point to the PIX, since they were secondary addresses.  Previously, the only purpose of the router was to terminate our Private line that we had between the datacenter and our previous office.  Since we moved almost a year ago, the cost of the private line tripled (mileage sensitive) so it's cheaper for us to have a T1 coming in from the outside...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question