[nsp] Routing decisions on a PIX?

Scott Morris swm at emanon.com
Tue Jun 10 12:42:48 EDT 2003


Each of your routes in a PIX has a "metric" number, which is almost like
a sequence.  No two identical mask routes can have the same metric even
if going to different ports.

By that, I mean you can't have a 172.16.0.0/16 to inside with a metric
of 1, and the same thing to dmz with a metric of 1.

PIX will do most specific matching, but on equal matches, it will go by
metric value to decide one interface over another.

HTH,

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Voralt
Sent: Tuesday, June 10, 2003 10:50 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Routing decisions on a PIX?


Either static's take precedence, or it uses the first one it finds, I'm
not sure which.  I had a scenario where there where VPN connections and
internal WAN connections and they were all on 172.16.x.x.  I assumed it
would work like a router and use the longest match, so if I had a
172.16.0.0 255.255.0.0 route inside, any of the VPN connections would
override that since they were all 255.255.255.0 networks.  However, the
VPN's didn't work until I removed the route inside and added a bunch of
class C route's pointing inside.  I'm assuming that it uses the first
match it finds, but that's just a guess.


----- Original Message -----
From: "Regis M. Donovan" <regis at offhand.org>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, June 09, 2003 1:51 PM
Subject: [nsp] Routing decisions on a PIX?


> Hi there.
> I've got a pair of PIX boxes running 6.2(1), connected with a VPN. The

> networks are also connected by a back-end direct WAN line.  I would 
> rather my traffic go over the WAN link instead of the VPN.
>
> Does the PIX consider the VPN to be a connected network?  When it 
> comes time to make a routing decision, which takes precedence in a
> PIX: a VPN network connection or a static route?
>
> I've looked around on the cisco web site and couldn't find anything 
> that directly addresses this.
>
> Thanks!
> --Regis
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list