Although the PIX Security Appliance is not a router, it does have
certain routing capabilities. The route command can be used
to create static routes for accessing networks outside a router on any
interface. In the example in Figure
, the PIX sends
all packets destined to the 10.1.1.0 network to the router at 10.0.0.3. All
traffic for which the PIX Security Appliance has no route is sent to
192.168.0.1, the gateway in the default route. To enter a default route, set
the ip_address and netmask arguments to
0.0.0.0, or the shortened form of 0. Only one default route can be used.
All routes entered using the route command are stored in
the configuration when it is saved. They can be displayed by using the
show run route command, and most routes can be cleared by
using the clear configure route command. The only routes
not removed with the clear configure route command are
those that show the keyword CONNECT when the show route
command is issued. These are routes that the PIX Security Appliance
automatically creates in its routing table when an IP address is issued for a
PIX interface. A route created in this manner is a route to the network
directly connected to that interface. Figure
shows examples
of these automatically created routes.
Although the gateway
argument in the route command usually specifies
the IP address of the gateway router, the next hop address for this route, one
of the PIX Security Applinace interfaces can also be used. When a
route command statement uses the IP address of one of the
PIX interfaces as the gateway IP address, the PIX broadcasts an ARP request for
the MAC address corresponding to the destination IP address in the packet
instead of broadcasting the ARP request for the MAC address corresponding to
the gateway IP address.
The following steps show how the PIX Security
Appliance handles routing in this situation:
Step 1 The
PIX receives a packet from the inside interface destined to IP address
X.
Step 2 Because a default route is set to
itself, the PIX sends out an ARP for address X.
Step
3 Any Cisco router on the outside interface LAN that has a route to address
X replies back to the PIX with its own MAC address as the next hop. Cisco IOS
software has proxy ARP enabled by default.
Step
4 The PIX sends the packet to router.
Step 5
The PIX adds the entry to its ARP cache for IP address X with the MAC address
being that of the router.
Learning Dynamic Routes with
RIP
Another way to build the PIX Security Appliance routing table is by
enabling RIP with the rip command. The PIX can be
configured to learn routes dynamically from RIP version 1 or RIP version 2
broadcasts. Although the PIX uses the dynamically learned routes itself to
forward traffic to the appropriate destinations, it does not propagate learned
routes to other devices. The PIX cannot pass RIP updates between interfaces. It
can, however, advertise one of its interfaces as a default route.
Figure
shows
the PIX Security Appliance learning routes from a router on its outside
interface and broadcasting a default route on its inside interface. Message
Digest 5 (MD5) authentication is used on the outside interface to enable the
PIX to accept the encrypted RIP updates. Both the PIX and router A are
configured with the encryption key MKEY and its key_id
value of 2.
Use the rip command to
configure the PIX Security Appliance to learn routes dynamically from RIP
version 1 or RIP version 2 broadcasts. When RIP version 2 is configured in
passive mode, the PIX accepts RIP version 2 multicast updates with an IP
destination of 224.0.0.9. For the RIP version 2 default mode, the PIX transmits
default route updates using an IP destination of 224.0.0.9. Configuring RIP
version 2 registers the multicast address 224.0.0.9 on the interface specified
in the command so that the PIX can accept multicast RIP version 2 updates. When
the RIP version 2 commands for an interface are removed, the multicast address
is unregistered from the interface card.
If RIP version 2 is specified, RIP updates can be encrypted using MD5
encryption. The key and key_id values
must be the same as on any device in the network that makes RIP version 2
updates.
IP routing table updates are enabled by default. Use the
no rip command to disable the PIX Security Appliance IP
routing table updates. The clear rip command removes all
the rip commands from the configuration.
 |
NOTE:
Static routes override dynamic routes.
|
The syntax for the rip command is shown in Figure
.