Checking Routing
The disability to ability a destination is a prime indicator of acquisition problems.
Such problems can be circuitous to troubleshoot, but application a structured approach
to abstract the account can affluence troubleshooting.The PIX firewall uses both static
and activating routing. For activating routing, the PIX supports alone RIP as a
routing protocol; otherwise, the acquisition advice it has is manually entered in
the anatomy of changeless routes.We accessible our acquisition analysis altercation with a
review of the assorted acquisition options accessible on the PIX firewall and how they
interact.
NOTE
The alone acquisition agreement accurate by the PIX firewall at this autograph is
RIP (version 1 and adaptation 2). RIP is discussed briefly in this affiliate as it
pertains to the PIX firewall.
www.syngress.com
574 Affiliate 10 • Troubleshooting and Performance Monitoring
First, let’s analysis the techniques you use to configure acquisition on your PIX,
starting with the simplest (default route) and alee to application RIP to learn
routes. In the simplest configuration, the PIX firewall is configured alone with a
static absence route. For example:
route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1
This command states that all cartage that does not bout any of the local
interfaces will be beatific to the abutting hop of 192.168.99.2. Assuming this is the only
static avenue configured on the firewall in Figure 10.13, all cartage destined for a
non-local interface on the PIX firewall will be forwarded to RTR1 to ability its
final destination. A distinct changeless avenue such as this one works able-bodied for the simple
configuration in Figure 10.13, but what happens if we accept a added complex
architecture, such as the one credible in Figure 10.14?
Figure 10.14 shows that the cartage from PIX1 charge be forwarded to R2 to
reach 192.168.200.0/24. If we acclimated alone a absence route, any cartage for
192.168.200.0/24 would be beatific to RTR1 and would never ability its destination.
We can boldness this affair by abacus a changeless avenue on PIX1 so it knows area to
forward cartage destined to 192.168.200.0/24.This is able by adding
another (more specific) avenue to the PIX1 configuration:
route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 2
www.syngress.com
Figure 10.13 Absence Avenue Example
192.168.99.4/30
PIX1
Default avenue is RTR1
RTR1
route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1
192.168.99.2/30
192.168.99.1/30
Internet
Troubleshooting and Performance Monitoring • Affiliate 10 575
In accession to application these changeless methods for routing, the PIX firewall supports
dynamic acquisition application RIP adaptation 1 or adaptation 2. Unlike the advanced range
of options accessible for RIP on Cisco routers, the RIP commands on the PIX
firewall are absolute sparse.
[no] rip
[no] rip
[no] rip
[no] rip
We will not absorb an disproportionate bulk of time debating the claim of RIP
as a acquisition protocol. Suffice to say, the absence keyword agency that the PIX firewall
advertises a absence avenue out that interface.The acquiescent keyword configures
RIP to accept on, but not acquaint out, a accurate interface.The adaptation keyword
is acclimated to set the adaptation of RIP that the PIX firewall will use. RIP aeon can
authenticate anniversary added to ensure that they accelerate and accept updates from legitimate
peers. RIP is enabled on a per-interface basis.
In Figure 10.15, we accept replaced our statically baffled arrangement with RIP
version 2. Notice how this backup has afflicted the acquisition picture, enabling
the PIX firewall to bigger acclimate to arrangement changes.
www.syngress.com
Figure 10.14 Changeless Routes
Internet
PIX1
Default avenue is R1
RTR1
route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1
route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 2
192.168.99.2/30
192.168.99.1/30
RTR2
192.168.100.1/30 192.168.100.2/30
192.168.200.0/24
576 Affiliate 10 • Troubleshooting and Performance Monitoring
On PIX firewalls, RIP does not acquaint from interface to interface. In
Figure 10.15, PIX1 is active for updates on its DMZ arrangement and is learning
any routes that ability be present abaft that network. As a result, PIX1 will
know how to ability those networks. Back the acquiescent keyword is used, PIX1 will
not acquaint any RIP routes out its DMZ interface. However, PIX1 will not
advertise those routes to PIX2 or RTR1.This is a limitation of RIP in the PIX
firewall that needs to be bound by abacus a absence avenue to PIX2 (which our
configuration has) and a changeless avenue on R1 to ability any networks abaft PIX1’s
DMZ interface.What PIX1 will acquaint is any of its anon affiliated interfaces
and absence routes, so R1 and PIX2 will be able to ability any anon connected
network on PIX1. PIX2 will be able to ability the networks abaft PIX1’s
DMZ interface back PIX1 is the absence avenue for PIX2.
This limitation of RIP ability not be such a limitation. In absolute practice, any
addresses that leave or access PIX1 accompanying to the alfresco interface would actually
be translated. In the case of RTR1, it does not charge to apperceive about the networks
behind PIX1’s DMZ arrangement back those addresses would be translated to a
public address, which RTR1 would apperceive to accelerate to PIX1 for processing.
www.syngress.com
Figure 10.15 RIP Routing
DMZ
192.168.200.0/24
DMZ
Default avenue is abstruse from R1
rip central default
rip central adaptation 2
rip alfresco adaptation 2
rip central affidavit argument countersign 2
rip DMZ passive
route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 1
INSIDE
192.168.100.0/30
PIX2
192.168.1.0/24
OUTSIDE
192.168.99.0/30
rip central adaptation 2
rip central affidavit md5 countersign 2
Internet
RTR1
PIX1
Troubleshooting and Performance Monitoring • Affiliate 10 577
One botheration is absolutely credible in our agreement in Figure 10.15.There is
an affidavit conflict amid PIX1 and PIX2. PIX1 is application a bright text
password for authentication, while PIX2 is application MD5. Although the countersign is
the aforementioned on both sides, the encryption abode is different.The aftereffect is that
RIP acquisition will not assignment amid them, as altercation on the password
encryption abode will anticipate the aeon from accepting to anniversary other,
which will anticipate the barter and accepting of acquisition updates.
Another abeyant admiration that you charge to be active for is conflicting
versions of RIP.The best cogent aberration is that RIP adaptation 1 broadcasts
to an all-hosts advertisement abode of 255.255.255.255.Version 2 about multicasts
to the aloof IP multicast abode of 224.0.0.9. Additionally, adaptation 2 supports
authentication, admitting adaptation 1 does not.When troubleshooting routing
problems with RIP, attending at the agreement of the accessories area acquisition is not
working, and analysis to accomplish abiding that all your acquisition aeon accede on the version.
If you are application RIP adaptation 2 with authentication, ensure that the aforementioned password
and the aforementioned encryption adjustment are acclimated on both. Support for RIP version
2 was alien in PIX software adaptation 5.1. Prior versions cannot
interoperate with RIP adaptation 2 speakers, so accumulate the RIP adaptation differences in
your apperception as you troubleshoot. Support for RIP adaptation 2 multicast was introduced
in adaptation 5.3. Prior versions could alone handle broadcasts.
Having advised how the PIX gets its routes, we now about-face our absorption to
troubleshooting back the PIX is clumsy to ability a accurate destination or when
it does not accept a avenue to a accurate destination.Your accoutrement of best for
troubleshooting acquisition issues on the PIX are primarily appearance route, appearance rip, and
ping . Actuate if there is a reachability botheration by attempting to ping the destination.
If that fails, use appearance avenue to actuate if there is a avenue (static or RIP)
to ability the network.You can use the appearance rip command to affirm your
dynamic acquisition configuration.The ping command should be a litmus analysis to
verify that the destination cannot be reached.The syntax of the ping command is
as follows:
ping [
For example:
PIX1# ping 192.168.99.2
192.168.99.2 acknowledgment accustomed — 20ms
192.168.99.2 acknowledgment accustomed — 20ms
192.168.99.2 acknowledgment accustomed — 20ms
Does the PIX accept a absence route, a changeless route, or alike a dynamically
learned route? Analysis your acquisition table with the appearance avenue command. For
example:
PIX1# appearance route
outside 192.168.99.0 255.255.255.252 192.168.99.1 1 CONNECT static
inside 192.168.100.0 255.255.255.252 192.168.100.1 1 CONNECT static
DMZ 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
In our case, 192.168.99.2 is on our anon affiliated alfresco network.To
perform a side-by-side allegory of RIP peers, use the appearance rip command. In
Figure 10.17, we are attractive at the RIP agreement of PIX1 and PIX2; notice
how the mismatches amid the versions and affidavit abode are
readily apparent.
Figure 10.17 Identifying RIP Agreement Errors
PIX1# appearance rip
rip central default
rip central adaptation 1
rip alfresco adaptation 2
rip central affidavit argument cisco1 2
rip DMZ passive
PIX2# appearance rip
rip central adaptation 1
rip alfresco adaptation 1
rip central affidavit md5 cisco2 2
rip DMZ passive
The aftereffect of this agreement is that RIP will not assignment amid PIX1 and
PIX2 back they do not accede on any of the parameters. A adapted configuration
that will assignment is provided in Figure 10.18.
Figure 10.18 RIP Agreement Fixed
PIX1# appearance rip
rip central default
rip central adaptation 2
rip alfresco adaptation 2
www.syngress.com
Continued
580 Affiliate 10 • Troubleshooting and Performance Monitoring
rip central affidavit md5 cisco2 2
rip DMZ passive
PIX2# appearance rip
rip central adaptation 2
rip alfresco adaptation 2
rip central affidavit md5 cisco2 2
rip DMZ passive
We achieve our altercation of RIP with the bright rip command, which
should alone be acclimated back you accept fabricated a audible accommodation that you no longer
need to use RIP.This command removes all absolute RIP commands and parameters
from the configuration.