Routing

The PIX firewall supports only two methods of routing ”static and passive RIP. Static routing is the process of manually configuring a route, whereas passive RIP is the process of dynamically learning routes via the Routing Information Protocol (RIP) from other RIP-enabled routers. The PIX firewall does not share its routing information with other routers; it only passively listens to RIP advertisements.

After you assign an IP address to an interface, the PIX firewall creates a directly connected entry in the routing table. But any routes not directly connected need to be configured. Listing 8.5 uses the show route command to display the directly connected routes shown in Figure 8.5.

Listing 8.5 Connected Routes

 pixfirewall(config)# show route         outside 169.254.0.0 255.255.0.0 169.254.8.1 1 CONNECT static         inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static pixfirewall(config)# 

Static Routes

Manually configuring static routes enables the PIX firewall to direct traffic out the appropriate interface and off to the next hop. The route command is used to create a manual static route; its command syntax is shown here:

 pixfirewall(config)# [no] route <if_name> <foreign_ip> <mask>                <gateway> [<metric>] 

Table 8.8 displays the command options for the route command.

Table 8.8. route Command Options

In Listing 8.6, two static routes are created. The first is a default route to the Internet, and the second is a static route to the 10.0.0.0 network.

Listing 8.6 Static Routes

 pixfirewall(config)# clear route pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 pixfirewall(config)# route inside 10.0.0.0 255.0.0.0 192.168.1.254 pixfirewall(config)# show route         outside 0.0.0.0 0.0.0.0 169.254.8.254 1 OTHER static         inside 10.0.0.0 255.0.0.0 192.168.1.254 1 OTHER static         outside 169.254.0.0 255.255.0.0 169.254.8.1 1 CONNECT static         inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static pixfirewall(config)# 

In Listing 8.6, the first line clears all the existing routes, and the second line displays the route command needed to configure a static default route to the Internet according to Figure 8.5. The third line configures a static route to the 10.0.0.0 network going through the gateway of 192.168.1.254.

The Routing Information Protocol

The PIX firewall can learn routes dynamically using the routing protocols RIP v1 or RIP v2. The routing protocol RIP advertises the routes a device knows to other RIP-enabled devices. Although the PIX supports RIP, it listens to RIP advertisements only in a passive configuration. This enables the PIX to learn routes for other devices without advertising them to others. The exception to this is that the PIX can advertise a default route to another device, but it won't advertise any learned routes. The following is the rip command's syntax:

 pixfirewall(config)# [no] rip <if_name> defaultpassive [version <12>]                [authentication <text md5> <key> <key id>] 

Table 8.9 displays the rip command's options.

Table 8.9. rip Command Options

Here is an example of the using the rip command:

 pixfirewall(config)# rip inside passive version 1 

Table 8.10 lists four other helpful routing and RIP commands.

Table 8.10. General Routing Commands

To create a default route, you use the route outside 0.0.0.0 0.0.0.0 <gateway ip address> command. This command can also be written as route outside 0 0 <gateway ip address> .