Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX not sending ICMP redirect.

Status
Not open for further replies.

yizhar

MIS
Sep 1, 2001
2,282
IL
HI.

A network with PIX515R, ver 4.4, 2 interfaces.
The PIX is due to be upgraded soon to latest PIX version.
The "inside" network has 3 subnets connected with routers (see diagram below).
In the main office which I call subnetA, the PIX "inside" and the Router1 (CISCO 2500) "e0" are connected amont with clients and servers.
Branch offices (subnetB, subnetC) are connected with CISCO 1000 routers and leased lines to the serial ports of Router1.
The PIX is configured with ROUTE commands to know about all inside networks.
Router1 is ofcourse also configured to route properly to all inside networks, and it's default route is to the PIX.
RIP and other routing protocols are disabled. Only static routes used.

Here is the problem/question:
The clients and servers in the main office are configured with the PIX inside interface as default gateway.
I was expecting that if a host in the main office (subnetA) is trying to reach a host in another inside network (subnetB), then the PIX will send ICMP redirect to the host, redirecting the traffic to the inside Router0 .
However, this did not happen.
We have solved the problem using static permanent routes on the NT4 servers so they can communicate with other internal networks.
I know that if I would set the default gateway on the hosts to Router1 instead of the PIX, this can solve the routing problem, but I don't want this because it will create some un-needed traffic and delays, and also if Router0 will fail then clients won't be able to find the PIX and the internet which is not desirable.
Most clients are Win9x, few are Win2000. Servers are NT4.

So, is this a problem of the old PIX 4.4 version?
Why is PIX not sending ICMP redirect messages?
Have anyone else had this problem?
Any tips?

Here is the network diagram:

Internet (ISP)
|
Router0
|
PIX
|
(subnetA)
|
Router1
|
-----------------------------------
| |
Router2 Router3
| |
(subnetB) (subnetC)



More info:
Router1 can PING and TELNET all internal subnets.
I have not tested if PIX can ping all internal subnets - this is something I forgot to verify but I'm not there right now. However PIX is configured with ROUTE commands to subnetB and subnetC pointing to Router1.
Router2 and Router3 are configured with default route to Router1.
Hosts in subnetB and subnetC are configured with default gateway to local router.
Hosts in subnetA are configured with PIX inside interface as default gateway.
Hosts in subnetA go out to Internet via PIX with no problem.
Hosts in subnetA CAN NOT access hosts nor routers in subnetB & subnetC, UNLESS I use "route add" command like:
"route add subnetB mask 255.255.255.0 Router2"


Thanks
Yizhar

Yizhar Hurwitz
 
Yizhar,

Sounds like a v4.4 issue. What release level are you using; i.e. v4.4(x)?

Liberty for All,

Brian
 
HI.

I don't know the release level now and cannot check it.

I have just tested it on another machine - PIX 515UR ver 6.01 , and the same problem -
PIX has a route back to another router (inside interface), but clients that are configured with PIX as default gateway, cannot reach the other internal subnet unless they are manually (or via login script) configured with the specific route.
The PIX does not send ICMP redirect as I expect it to do.


Have any one used PIX with other routers on the inside network and can tell about the configuration -
Is the PIX your default gateway?
Are servers and clients configured with static routes manualy?
Are you using RIP or other routing protocols?

Thanks

Yizhar Hurwitz
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top