[c-nsp] Default Route behaviour on PIX

Nick Griffin nick.jon.griffin at gmail.com
Wed Oct 29 09:40:01 EDT 2008


In your lab, on your interface on your router facing your fix, fas 0/0 for
example do "show ip int fas0/0 | i Proxy" and you'll see that proxy arp is
enabled. The pix is trying to forward to 1.1.1.1 and the router is probably
doing proxy arp, assuming your router thinks it knows how to get to 1.1.1.1.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml



On Tue, Oct 28, 2008 at 11:08 PM, Nic Passmore <nic.passmore at gmail.com>wrote:

> All,
>
> This may be one of those things you know after working with PIX but I
> just can't seem to get my head around it. Say I have a PIX that is
> connected to a DSL router and is filtering traffic. The DSL connection
> has a ppp negotiated IP address from the ISP. The ISP is also routing
> a /30 via said address that is used to connect between the DSL router
> and the PIX (if it makes any difference, the DSL router in this case
> is an 827).
>
> The next-hop address set in the default route on this PIX is a
> nonsense address. It is definitely not a valid next-hop address.
> Despite this fact, the PIX still happily seems to forward traffic
> (this is working at the moment). I set the same configuration up in a
> lab and it exhibited the same behavior. The lab has a router connected
> to the "Internet" via the 30.30.30.0/30 network. The edge router and
> the PIX are connected via 30.30.40.0/30. If I set the next hop of the
> default route to 30.30.40.1 (the edge router side), traffic flows. If
> I set the next hop of the default route to 1.1.1.1, traffic flows?
>
> Is this a known thing? The PIX appears to just throw the traffic onto
> the outbound interface and hope for the best? Ive tried this with both
> PIXOS 6.x and 7.x, both of which same to exhibit the same behavior.
> Ive included a snippet of the PIX config from the lab... in the hopes
> that maybe it is something I am doing?
>
>  I would appreciate any insight..
>
> Cheers,
>
> Nic
>
> --- PIX Config from Lab --
>
> interface Ethernet0
>  description Link to EDGE FA0/1
>  nameif Outside
>  security-level 0
>  ip address 30.30.40.2 255.255.255.252
> !
> interface Ethernet1
>  description Link to CLIENT FA0/0
>  nameif Inside
>  security-level 100
>  ip address 192.168.1.254 255.255.255.0
> !
> access-list Outside-IN extended permit ip any any
> access-list Outside-OUT extended permit ip any any
> access-list Inside-IN extended permit ip any any
> access-list Inside-OUT extended permit ip any any
> !
> global (Outside) 10 interface
> nat (Inside) 10 0.0.0.0 0.0.0.0
> access-group Outside-IN in interface Outside
> access-group Outside-OUT out interface Outside
> access-group Inside-IN in interface Inside
> access-group Inside-OUT out interface Inside
> route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list