The PIX does route, but it is not a router. You can add static routes:
pixfirewall(config)# route
usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
or, you can run RIP to broadcast default route or run passive RIP:
pixfirewall(config)# rip
usage: [no] rip <if_name> default|passive [version <1|2>] [authentication
<text|
md5> <key> <key id>]
The PIX can be configured differently (hardware-wise) depending on your
needs. We currently run 2-515UR's each with 6 interfaces (inside, outside,
and 4 DMZs). Each interface on the PIX is a seperate Fast Ethernet segment,
and routing between them is done by the PIX.
To display the route table on a PIX:
pixfirewall(config)# show route
outside 0.0.0.0 0.0.0.0 63.X.X.X 1 OTHER static
WEB 10.X.X.0 255.255.255.0 10.X.X.X 1 CONNECT static
dmz3 10.X.X.0 255.255.255.0 10.X.X.X 1 CONNECT static
SQL 172.16.X.0 255.255.255.0 172.16.X.X 1 CONNECT static
inside 192.168.100.0 255.255.255.0 192.168.X.X 1 CONNECT static
dmz2 10.X.X.X 255.255.255.0 10.X.X.X 1 CONNECT static
outside 198.133.219.25 255.255.255.0 63.X.X.X OTHER static
The route table can be modified to point anywhere, really. Just as you
could a router.
Hope this helps,
Evan
-----Original Message-----
From: haroldnjoe [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 16, 2001 11:06 AM
To: [EMAIL PROTECTED]
Subject: Firewalls and VPNs
I've read here a couple of times that PIX's don't route. Period. In light of
this I'm left a little confused as to a proposed network map I was given
recently.
The core layer router is a 3640 linking all of our branch offices together.
>From the 3640, there is an ethernet connection to a PIX 515R. From the PIX,
there is another ethernet connection to a 1750 router. The 1750 connects via
T1 to our ISP. There is yet another ethernet connection from the PIX to the
isolation lan, on which resides an internet mail/web server and a VPN 3000
concentrator.
If PIX's don't route, what subnet is the isolation lan going to sit on? As
I understand it, the PIX will be providing NAT functionality for the 3640
and everything behind it. So I would assume that the T1 and ethernet
interfaces on the 1750, the outside interfaces on the PIX, and everything in
the isolation lan including the VPN concentrator will have to have public IP
addresses which will be given to us by our ISP. The way the map is layed
out, it looks to me like the isolation lan would have to be on its own
subnet.
What am I missing? If the PIX doesn't route, do it's ethernet interfaces
reside on the same subnet as the isolation lan? If so, then the ethernet
interface on the 1750 must also be on that subnet, right?
This is the proposed network map that Cisco's presale engineers gave me.
I'm sure it's a solid design, but I'm still trying to work out the details
so that I understand what I'm implementing (always a good thing, I think).
Thanks for your time,
[EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
