[nsp] Routing decisions on a PIX?
Scott Morris
swm at emanon.com
Tue Jun 10 12:42:48 EDT 2003
Each of your routes in a PIX has a "metric" number, which is almost like
a sequence. No two identical mask routes can have the same metric even
if going to different ports.
By that, I mean you can't have a 172.16.0.0/16 to inside with a metric
of 1, and the same thing to dmz with a metric of 1.
PIX will do most specific matching, but on equal matches, it will go by
metric value to decide one interface over another.
HTH,
Scott
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Voralt
Sent: Tuesday, June 10, 2003 10:50 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Routing decisions on a PIX?
Either static's take precedence, or it uses the first one it finds, I'm
not sure which. I had a scenario where there where VPN connections and
internal WAN connections and they were all on 172.16.x.x. I assumed it
would work like a router and use the longest match, so if I had a
172.16.0.0 255.255.0.0 route inside, any of the VPN connections would
override that since they were all 255.255.255.0 networks. However, the
VPN's didn't work until I removed the route inside and added a bunch of
class C route's pointing inside. I'm assuming that it uses the first
match it finds, but that's just a guess.
----- Original Message -----
From: "Regis M. Donovan" <regis at offhand.org>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, June 09, 2003 1:51 PM
Subject: [nsp] Routing decisions on a PIX?
> Hi there.
> I've got a pair of PIX boxes running 6.2(1), connected with a VPN. The
> networks are also connected by a back-end direct WAN line. I would
> rather my traffic go over the WAN link instead of the VPN.
>
> Does the PIX consider the VPN to be a connected network? When it
> comes time to make a routing decision, which takes precedence in a
> PIX: a VPN network connection or a static route?
>
> I've looked around on the cisco web site and couldn't find anything
> that directly addresses this.
>
> Thanks!
> --Regis
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list