Thank you for the responses Tony and Chuck.
I posed this question to see if anyone knew whether or not I was missing
something with the firewall or if it was in fact not able to forward icmp
redirects.
In the meantime to the question post I did in fact alter our dhcp scopes to
have the clients hit the 2600 first and add the static gateway to the 2600
and everything is happy.
The 2600 is owned by the ISP vendor providing the frame for this client of
mine, and sometimes it can take some time to get changes made. I luckily
was dealing with a knowledgable Tier 3 tech who knew exactly what I wanted
done.
Gentlemen, thank you for the info though.
""Chuck Larrieu"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm not sure I understand why you need the PIX to do anything routing
> related.
>
> internet-----edge_router----PIX----inside_router------inside network.
>
> you can place the client default gateway either as the PIX inside address
or
> your inside_router address ( and have the inside_router default to the PIX
> inside address )
>
> in this situation, your inside_router does routing, and your PIX does
> firewalling.
>
> does your 26xx routing table have all the spoke routes? sure you're not
> looking at a classic frame relay mapping problems?
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> trammer
> Sent: Tuesday, July 10, 2001 9:27 PM
> To: [EMAIL PROTECTED]
> Subject: Pix not routing for Frame Spokes [7:11860]
>
>
> Don't let the subject mislead you in my intention but here is my situation
> if anyone would like to take a look.
>
> I've got multiple locations connected via frame coming into a 2610 @
> 10.1.1.5:
>
> 10.2.0.0
> 10.3.0.0
> 10.4.0.0
> 10.5.0.0
> 10.6.0.0
> 10.7.0.0
>
> The 2610's default route is to 10.1.1.1 which is obviously on the 10.1.0.0
> segment in the HQ through a pix to the internet. The clients at HQ, whos
> gateway is 10.1.1.1 need to occasionally access the spokes so I added
static
> routes in the Pix for each of the spokes. I am a firm beleiver in Cisco's
> products being a specific task oriented device (ie. pix>firewall, 3015 >
> VPN) and not to be used for anything different. I know the PIX is not
> designed to be a router but in this case I need get some input from others
> as to why the PIX is not bouncing requests for the spokes out the 2610
like
> a quote unquote "regular router" would.
>
> What happens is the PIX can ping to say for example the 10.1.1.17 which is
a
> Domain Controller in that site. But if I ping from a client or the DC in
HQ
> no luck. This is with the gateway of 10.1.1.1 assigned to the DC and or
> client. Also, when I do a show ip route I see only the outside and the
> inside IP addresses.
>
> Here is the config minus the Public's IP's and security info. The only
NAT
> pool is through a PAT and an access list is applied on the outside
interface
> to filter inbound traffic. Maybe I had a brainfart on something
> suggestions are appreciated:
>
>
> 0300-PIX-01# sh conf
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> <>
> hostname 0300-PIX-01
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 100 <>
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside <>
> ip address inside 10.1.1.1 255.255.0.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 <>
> nat (inside) 1 10.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp <> <>
> static (inside,outside) tcp <> <>
> <>
> <>
> access-group 100 in interface outside
>
> route outside 0.0.0.0 0.0.0.0 <> 1
>
> route inside 10.2.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.3.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.4.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.5.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.6.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.7.0.0 255.255.0.0 10.1.1.5 1
>
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> <>
> 0300-PIX-01#
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12000&t=11860
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
