PIX Security Appliance Routing Capabilities
Static and RIP routing

Although the PIX Security Appliance is not a router, it does have certain routing capabilities. The route command can be used to create static routes for accessing networks outside a router on any interface. In the example in Figure , the PIX sends all packets destined to the 10.1.1.0 network to the router at 10.0.0.3. All traffic for which the PIX Security Appliance has no route is sent to 192.168.0.1, the gateway in the default route. To enter a default route, set the ip_address and netmask arguments to 0.0.0.0, or the shortened form of 0. Only one default route can be used.

All routes entered using the route command are stored in the configuration when it is saved. They can be displayed by using the show run route command, and most routes can be cleared by using the clear configure route command. The only routes not removed with the clear configure route command are those that show the keyword CONNECT when the show route command is issued. These are routes that the PIX Security Appliance automatically creates in its routing table when an IP address is issued for a PIX interface. A route created in this manner is a route to the network directly connected to that interface. Figure shows examples of these automatically created routes.

Although the gateway argument in the route command usually specifies the IP address of the gateway router, the next hop address for this route, one of the PIX Security Applinace interfaces can also be used. When a route command statement uses the IP address of one of the PIX interfaces as the gateway IP address, the PIX broadcasts an ARP request for the MAC address corresponding to the destination IP address in the packet instead of broadcasting the ARP request for the MAC address corresponding to the gateway IP address.

The following steps show how the PIX Security Appliance handles routing in this situation:

Step 1 The PIX receives a packet from the inside interface destined to IP address X.
Step 2 Because a default route is set to itself, the PIX sends out an ARP for address X.
Step 3 Any Cisco router on the outside interface LAN that has a route to address X replies back to the PIX with its own MAC address as the next hop. Cisco IOS software has proxy ARP enabled by default.
Step 4 The PIX sends the packet to router.
Step 5 The PIX adds the entry to its ARP cache for IP address X with the MAC address being that of the router.

Learning Dynamic Routes with RIP
Another way to build the PIX Security Appliance routing table is by enabling RIP with the rip command. The PIX can be configured to learn routes dynamically from RIP version 1 or RIP version 2 broadcasts. Although the PIX uses the dynamically learned routes itself to forward traffic to the appropriate destinations, it does not propagate learned routes to other devices. The PIX cannot pass RIP updates between interfaces. It can, however, advertise one of its interfaces as a default route.

Figure shows the PIX Security Appliance learning routes from a router on its outside interface and broadcasting a default route on its inside interface. Message Digest 5 (MD5) authentication is used on the outside interface to enable the PIX to accept the encrypted RIP updates. Both the PIX and router A are configured with the encryption key MKEY and its key_id value of 2.

Use the rip command to configure the PIX Security Appliance to learn routes dynamically from RIP version 1 or RIP version 2 broadcasts. When RIP version 2 is configured in passive mode, the PIX accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. For the RIP version 2 default mode, the PIX transmits default route updates using an IP destination of 224.0.0.9. Configuring RIP version 2 registers the multicast address 224.0.0.9 on the interface specified in the command so that the PIX can accept multicast RIP version 2 updates. When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from the interface card.

If RIP version 2 is specified, RIP updates can be encrypted using MD5 encryption. The key and key_id values must be the same as on any device in the network that makes RIP version 2 updates.

IP routing table updates are enabled by default. Use the no rip command to disable the PIX Security Appliance IP routing table updates. The clear rip command removes all the rip commands from the configuration.

NOTE:

Static routes override dynamic routes.

The syntax for the rip command is shown in Figure .