HI.
A network with PIX515R, ver 4.4, 2 interfaces.
The PIX is due to be upgraded soon to latest PIX version.
The "inside" network has 3 subnets connected with routers (see diagram below).
In the main office which I call subnetA, the PIX "inside" and the Router1 (CISCO 2500) "e0" are connected amont with clients and servers.
Branch offices (subnetB, subnetC) are connected with CISCO 1000 routers and leased lines to the serial ports of Router1.
The PIX is configured with ROUTE commands to know about all inside networks.
Router1 is ofcourse also configured to route properly to all inside networks, and it's default route is to the PIX.
RIP and other routing protocols are disabled. Only static routes used.
Here is the problem/question:
The clients and servers in the main office are configured with the PIX inside interface as default gateway.
I was expecting that if a host in the main office (subnetA) is trying to reach a host in another inside network (subnetB), then the PIX will send ICMP redirect to the host, redirecting the traffic to the inside Router0 .
However, this did not happen.
We have solved the problem using static permanent routes on the NT4 servers so they can communicate with other internal networks.
I know that if I would set the default gateway on the hosts to Router1 instead of the PIX, this can solve the routing problem, but I don't want this because it will create some un-needed traffic and delays, and also if Router0 will fail then clients won't be able to find the PIX and the internet which is not desirable.
Most clients are Win9x, few are Win2000. Servers are NT4.
So, is this a problem of the old PIX 4.4 version?
Why is PIX not sending ICMP redirect messages?
Have anyone else had this problem?
Any tips?
Here is the network diagram:
Internet (ISP)
|
Router0
|
PIX
|
(subnetA)
|
Router1
|
-----------------------------------
| |
Router2 Router3
| |
(subnetB) (subnetC)
More info:
Router1 can PING and TELNET all internal subnets.
I have not tested if PIX can ping all internal subnets - this is something I forgot to verify but I'm not there right now. However PIX is configured with ROUTE commands to subnetB and subnetC pointing to Router1.
Router2 and Router3 are configured with default route to Router1.
Hosts in subnetB and subnetC are configured with default gateway to local router.
Hosts in subnetA are configured with PIX inside interface as default gateway.
Hosts in subnetA go out to Internet via PIX with no problem.
Hosts in subnetA CAN NOT access hosts nor routers in subnetB & subnetC, UNLESS I use "route add" command like:
"route add subnetB mask 255.255.255.0 Router2"
Thanks
Yizhar
Yizhar Hurwitz
A network with PIX515R, ver 4.4, 2 interfaces.
The PIX is due to be upgraded soon to latest PIX version.
The "inside" network has 3 subnets connected with routers (see diagram below).
In the main office which I call subnetA, the PIX "inside" and the Router1 (CISCO 2500) "e0" are connected amont with clients and servers.
Branch offices (subnetB, subnetC) are connected with CISCO 1000 routers and leased lines to the serial ports of Router1.
The PIX is configured with ROUTE commands to know about all inside networks.
Router1 is ofcourse also configured to route properly to all inside networks, and it's default route is to the PIX.
RIP and other routing protocols are disabled. Only static routes used.
Here is the problem/question:
The clients and servers in the main office are configured with the PIX inside interface as default gateway.
I was expecting that if a host in the main office (subnetA) is trying to reach a host in another inside network (subnetB), then the PIX will send ICMP redirect to the host, redirecting the traffic to the inside Router0 .
However, this did not happen.
We have solved the problem using static permanent routes on the NT4 servers so they can communicate with other internal networks.
I know that if I would set the default gateway on the hosts to Router1 instead of the PIX, this can solve the routing problem, but I don't want this because it will create some un-needed traffic and delays, and also if Router0 will fail then clients won't be able to find the PIX and the internet which is not desirable.
Most clients are Win9x, few are Win2000. Servers are NT4.
So, is this a problem of the old PIX 4.4 version?
Why is PIX not sending ICMP redirect messages?
Have anyone else had this problem?
Any tips?
Here is the network diagram:
Internet (ISP)
|
Router0
|
PIX
|
(subnetA)
|
Router1
|
-----------------------------------
| |
Router2 Router3
| |
(subnetB) (subnetC)
More info:
Router1 can PING and TELNET all internal subnets.
I have not tested if PIX can ping all internal subnets - this is something I forgot to verify but I'm not there right now. However PIX is configured with ROUTE commands to subnetB and subnetC pointing to Router1.
Router2 and Router3 are configured with default route to Router1.
Hosts in subnetB and subnetC are configured with default gateway to local router.
Hosts in subnetA are configured with PIX inside interface as default gateway.
Hosts in subnetA go out to Internet via PIX with no problem.
Hosts in subnetA CAN NOT access hosts nor routers in subnetB & subnetC, UNLESS I use "route add" command like:
"route add subnetB mask 255.255.255.0 Router2"
Thanks
Yizhar
Yizhar Hurwitz