Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX and internal routes

Status
Not open for further replies.
charlieyi

charlieyi

Technical User
Feb 6, 2003
2
US
Hello I was hoping to get an answer to a simple question hopefully. My network is this:
(internet router)
PIX firewall (inside interface on pix is on 192.168.1.1)
Central network (192.168.1.x)
Remote Router (e0 192.168.1.11, s0 10.1.x.x)
Remote (10.1.x.x network)

The default gateway on all my workstations at the central office is 192.168.1.1(the pix internal interface). I want to be able to access the remote workstations that are on the remote location in the 10.1.x.x network. I tried adding a route to the pix for the 10.1.x.x network to be 192.168.1.11. This for some reason did not work. Right now the only way the workstation at the central can access the remote locations is if I change their gateway to be 192.168.1.11.(the remote router.) This just didn't seem correct to me. I should be able to add other internal routes on the pix right?

 
Sort by date Sort by votes
You do need to the routes in the pix, but the pix only routes in one direction. It won't route back out the same interface (I really wish Cisco would change this). Unfortuneatly the only way for it to work for you is to setup the other router as the client's default gateway or buy manually adding persitant routes to the client machines(not recommended).
 
Upvote 0 Downvote
HI.

I agree with baddos, in one exception that in such scenarios I do recommend using static routes on workstations, because I don't know of any better solution (adding an Ethernet router just for that purpose is more cost, additional point of failure and complexity).

If you're using MS Windows workstations, you can create a batch file like this:
route add 10.1.0.0 mask 255.255.0.0 192.168.1.11

Then run this file using login script or other method.

If only the administrator workstation and the servers need access to the remote network, then you can run this command only on those hosts.

You still need to have the proper route at the pix.
This is required for routing Internet traffic, but does not help with internal routing.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the replys. I left the route on the pix to route back the traffic for remote hosts and also changed the dhcp scope to use the remote router for now as the gateway for all workstations at the central office. I added manual routes on all servrs with static ip addresses. I thought maybe this was the case with the pix but couldn't find a definitive answer online. Thanks again. I will keep this in mind in the future when installing a pix.
 
Upvote 0 Downvote
HI.

> changed the dhcp scope to use the remote router for now
> as the gateway for all workstations at the central office
I think that it is better to use the pix as Default Gateway.
Your current configuration will generate unneeded traffic, and if the router is not accessible for any reason, your connection to the Internet will be down for no need.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I don't agree with yizhar for the reason of management. It is way easier to manage the routes of one router than all the computers on the network. It might be the cheaper solution in upfront costs, but not in the long haul w/ IT resources troubleshooting workstations that can't route because they are missing the static route. Not to mention when IT people move on to other companies, the new IT guys might not know about these static routes.

As far as redundancy is concrened, he can get another router and run HSRP to bypass that problem. Chances are he doesn't have a failover PIX either, so redundancy doesn't appear to be a big issue for them.
 
Upvote 0 Downvote
If I may put my 2 cents in as well, I also agree with baddos on this one. Having any type of special routing for each workstation becomes a management nightmare, troubleshooting gets harder when one machine works and another one doesn't. As for unneeded traffic, the traffic will be on the wire in either case, actually having all traffic route to the main router and letting it decide which path traffic takes make more sense, chances are more of the network traffic is between the central office and the remote sites anyways. I had a similar setup with an 11 city frame network all coming through HQ to get to each other and to the internet. I had the central router as the default gateway and it decided where to send the traffic onto, its default route was to the PIX.

Just my opinion.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
730
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
550
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
476
Nitta84
Nitta84
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
153
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top