[c-nsp] Default Route behaviour on PIX

Nic Passmore nic.passmore at gmail.com
Wed Oct 29 00:08:42 EDT 2008


All,

This may be one of those things you know after working with PIX but I
just can't seem to get my head around it. Say I have a PIX that is
connected to a DSL router and is filtering traffic. The DSL connection
has a ppp negotiated IP address from the ISP. The ISP is also routing
a /30 via said address that is used to connect between the DSL router
and the PIX (if it makes any difference, the DSL router in this case
is an 827).

The next-hop address set in the default route on this PIX is a
nonsense address. It is definitely not a valid next-hop address.
Despite this fact, the PIX still happily seems to forward traffic
(this is working at the moment). I set the same configuration up in a
lab and it exhibited the same behavior. The lab has a router connected
to the "Internet" via the 30.30.30.0/30 network. The edge router and
the PIX are connected via 30.30.40.0/30. If I set the next hop of the
default route to 30.30.40.1 (the edge router side), traffic flows. If
I set the next hop of the default route to 1.1.1.1, traffic flows?

Is this a known thing? The PIX appears to just throw the traffic onto
the outbound interface and hope for the best? Ive tried this with both
PIXOS 6.x and 7.x, both of which same to exhibit the same behavior.
Ive included a snippet of the PIX config from the lab... in the hopes
that maybe it is something I am doing?

 I would appreciate any insight..

Cheers,

Nic

--- PIX Config from Lab --

interface Ethernet0
 description Link to EDGE FA0/1
 nameif Outside
 security-level 0
 ip address 30.30.40.2 255.255.255.252
!
interface Ethernet1
 description Link to CLIENT FA0/0
 nameif Inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
access-list Outside-IN extended permit ip any any
access-list Outside-OUT extended permit ip any any
access-list Inside-IN extended permit ip any any
access-list Inside-OUT extended permit ip any any
!
global (Outside) 10 interface
nat (Inside) 10 0.0.0.0 0.0.0.0
access-group Outside-IN in interface Outside
access-group Outside-OUT out interface Outside
access-group Inside-IN in interface Inside
access-group Inside-OUT out interface Inside
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1


More information about the cisco-nsp mailing list