About "route inside" 1

[dotxbob]

My PIX 506 configuration has a "route inside 172.30.0.0 255.255.0.0 172.20.x.x 1" command.

I am in the .20 network; my default gateway is the inside interface of the PIX.

When I try to ping a host on the .30 network, it constantly times out. I would think that this command would cause traffic destined for the .30 network to "bounce" off of the inside interface. There is no access list on the inside interface (problem?).

Remote VPN users cannot ping in the .30 network either.

In a PIX 506, is the "route inside" supposed to redirect traffic inside, or can it route (allowed) traffic from outside to inside?

-bob

 

[gbiello]

That's because PIX's don't redirect traffic out the same interface. They only pass it through to another. I got this direct from Cisco. The only way you can do it is to put a static route in on each machine, or place an intermeidiate router between the PIX and the network.

 

[dotxbob]

So is this command useless on a PIX 506 (only 2 interfaces)?

 

[gbiello]

Not entirely. If you had to do a static one-to-one NAT translation from a public IP to something on the 172.30.x.y network, and the private interface was on the 172.20.x.y network, you could put a route in there so the device on 172.30 could be accessed from the internet. In this case you would still need static routes to it from each device on the 172.20 network.

Your other option is to make another device on 172.20 your default gateway, and put the route to the Internet on that.

My favorite setup is:
Internet router---PIX---internal router---internal network.

The "internal router" would be something (at least) like a 2621, that has two ethernet interfaces. It would also contain your point-to-point WAN lines, and they would be all protected by the PIX.

-gbiello