Routing issues

[lardum]

I'm having a seperate connection connected to my PIX firewall.
This is the design:

Internet Second Connection
| |
------------------
|
PIX
|
Private LAN Net: 192.168.1.0

The external interface has a public IP address and i also have a public IP address for the second connection. The second connection network has several networks with different subnets. I.e 10.1.0.0 , 10.1.1.0 , 10.1.2.0 and so on. However the subnetmask on these networks are different. What would be the best way to route traffic to different networks with different subnet masks?

 

[yizhar]

HI.

You can use a single route command at the pix:

route outside 10.0.0.0 255.0.0.0 ...

To route all 10.x.x.x addresses via the second connection.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[lardum]

But i.e what if this is the situation:
10.1.1.0 has subnetmask 255.255.255.0
10.1.2.0 has subnetmask 255.255.255.0
10.1.3.0 has subnetmask 255.255.255.0
10.1.4.0 has subnetmask 255.255.255.0
and so on.

Then we have
10.1.100.0 has subnetmask 255.255.248.0
10.1.101.0 has subnetmask 255.255.248.0
10.1.102.0 has subnetmask 255.255.248.0

Do you understand what i mean with different subnetmasks? These are just samples. I have about 500 different networks in that range. And i don't want to put in a route for each...

Any more ideas?

 

[yizhar]

HI.

> Do you understand what i mean with different subnetmasks?
Yes.
What's wrong with my answer?
Does the pix need to use the same gateway (second connection) to get to all those subnets?

> And i don't want to put in a route for each...
Exactly.

> Any more ideas?
Yes. You can use this one instead:
route outside 10.1.0.0 255.255.0.0 ...

Either I missed something here (please provide additional details if so), or you missed the point.
It's a similar idea to default gateway -
You configure something like:
route outside 0.0.0.0 0.0.0.0 ISP-ROUTER
And the pix does not need to know about each subnet on the globe.

Remember also that IP routing is based on IP addresses.
A host does not send the subnet mask in the IP packet, only destination IP. The subnet mask configured on each host (the pix in your case) is used ONLY on that host to select the apropriate route for the packet.
So, the router for "second connection" gets packets destined to 10.1.x.x from the pix, and routes them using its own routing table.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[lardum]

Yes, the PIX has the same gateway for all those 10.X.X.X subnets.

I tried with that route but somehow that didn't work... I will try that route again.

 

[yizhar]

HI.

> I tried with that route but somehow that didn't work...

Yes, this was expected.

Remember that routing should be configured properly all the way in both directions.
For example if the pix users are using a global ip address of a.b.c.d , the routers along the path will need to have the proper route for this address/subnet (that the pix uses).
If you configure the pix with "nat 0 access-list ..." then routers will need to have route to the internal addresses behind the pix.

Please provide more details so we can better help you if needed.

You can use "tracert" or "traceroute" to get some more info, and also use syslog messages on the pix to see what's going on.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[lardum]

Routes were configured on the other side also. However it didn't work. I tried again and suddenly it worked. Probably a typo or something by me. Thanks for the help.