Unicast Routing
Configuration of changeless acquisition is discussed in Chapter 2. In this section, we
describe some added avant-garde capacity accompanying to unicast acquisition as performed by
the PIX firewall.
Static and Affiliated Routes
You accept already abstruse how to configure changeless routes on the PIX firewall using
the avenue command:
route
For example:
PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 1.2.3.4
This command configures a changeless absence avenue on the alfresco interface to
the aperture 1.2.3.4—a absence aperture to be acclimated for arrangement traffic. If you issue
a appearance avenue command, the achievement will accommodate the afterward line:
route alfresco 0.0.0.0 0.0.0.0 1.2.3.4 1 OTHER static
The keyword OTHER artlessly agency that this avenue is a manually entered
static route.There is one absorbing aberration to the avenue command: It is possible
to specify an IP abode of PIX’s own interface instead of a aperture address.This
might assume aberrant from the point of appearance of the archetypal changeless routing, but this is
sometimes actual useful, abnormally in a Cisco infrastructure.The PIX itself automatically
creates routes of this blazon back you access an IP abode for an interface.
So, what happens back a avenue is set to the PIX interface? The simple answer
is that the PIX firewall considers the arrangement anon affiliated and sends an
ARP appeal for the destination abode itself instead of requesting for gateway’s
destination and forwarding the packet to the gateway.The destination host does
www.syngress.com
198 Chapter 4 • Avant-garde PIX Configurations
not absolutely accept to be anon connected; if it is affiliated via a router that has a
proxy-arp affection angry on, the router will acknowledgment on account of the host, the PIX
will advanced the packet to this router, and the router in about-face will advanced the
packet to the host. Cisco routers and PIX firewalls accept proxy ARP angry on by
default. For example, if the central interface has an IP abode of 192.168.1.254/24
and two networks, 192.168.2.0/24 and 192.168.3.0/24, are affiliated to this
interface via a router, the afterward two statements will configure actual routes
to these networks (note that the router’s IP is not acclimated anywhere; it aloof has to be
in the aforementioned arrangement as the central interface of the PIX):
PIX1(config)# avenue central 192.168.2.0 255.255.255.0 192.168.1.254
PIX1(config)# avenue central 192.168.3.0 255.255.255.0 192.168.1.254
The appearance avenue command displays the agnate entries in the routing
table as:
route central 192.168.1.0 255.255.255.0 192.168.1.254 1 CONNECT static
route central 192.168.2.0 255.255.255.0 192.168.1.254 1 OTHER static
route central 192.168.3.0 255.255.255.0 192.168.1.254 1 OTHER static
The aboriginal access actuality was created automatically by the PIX firewall back an
IP abode was configured on the central interface.The added two are the aftereffect of
our two changeless avenue entries.
What absolutely happens back the absence avenue (outside interface) on the PIX
is set to itself? The arrangement of accomplish PIX performs to accurately advanced the
packet is as follows:
1. The PIX receives a packet on the central interface destined for the
Internet host with IP a.b.c.d.
2. The absence avenue on the alfresco interface is set to the interface itself. If
a abstracted absence aperture was specified, the PIX would artlessly ARP for
the gateway’s abode and advanced the packet there. If not, the PIX sends
an ARP appeal for IP a.b.c.d.
3. Any router (assuming it has proxy ARP angry on) that has a avenue to
a.b.c.d replies with its MAC abode on account of the host a.b.c.d.
4. The PIX assiduously the packet to this router, which will handle it from
there.
5. The PIX additionally adds an access to its ARP table for IP abode a.b.c.d with
the MAC abode of the router.
www.syngress.com
Advanced PIX Configurations • Chapter 4 199
The PIX firewall additionally has the proxy ARP affection angry on by default, so it
can act in the aforementioned way as the router in the antecedent example. It is accessible to
turn the affection off on a specific interface using:
sysopt noproxyarp