Configure Routing

Overview

Each inside or perimeter interface is configurable for route information to routers in use adjacent to the planned installation point of the firewall.

Specifying a route tells the firewall where to send information that is forwarded on a specific interface and destined for a particular network address. You can specify more than one route per interface, allowing you control where to send network traffic.

The firewall learns where everything is on the network by "passively" listening for RIP network traffic. When the firewall interface receives RIP traffic, the firewall updates its routing table.

You can also configure the firewall to broadcast an inside or perimeter interface as a "default" route. Broadcasting an interface as a default route is useful if you want all network traffic on that interface to go out through that interface.

When defining a route, specify the IP address and network mask for the destination network. Use 0.0.0.0 for both the IP address and network mask as the default value.

The gateway IP address is the router that routes the traffic to the destination network IP address.

RIP configuration specifies whether the firewall updates its routing tables by passive listening to RIP traffic, and whether the interface broadcasts itself as a default route for network traffic on that interface. If you configure the firewall interface to listen for RIP updates, be sure to configure the router supplying the RIP information with the network address for the firewall interface.

Before testing the configuration run clear arp on any routers that feed traffic into or from the firewall and between the firewall and the Internet.

 

Static Routes

  1. Sketch out a diagram of the network

  2. Enter the default route

    route outside 0 0 209.165.201.2 1

    0.0.0.0 is abbreviated as 0 for the inside IP address and the netmask.

    The "1" at the end of the command indicates that the router is one hop away.

  3. Add static routes for the networks that connect to the inside router as follows:

    route inside 192.168.5.0 255.255.255.0 192.168.0.2 1
    route inside 192.168.6.0 255.255.255.0 192.168.0.2 1

    These static route commands can be read as

    For packets intended for either network 192.168.5.0 or 192.168.6.0, ship them to the router at 192.168.0.2.

    The router decides which packet goes to which network. The firewall is not a router and cannot make these decisions.

    The "1" at the end of the command statement specifies how many hops ( routers) the router is from the firewall. Because it is the first router you use 1.

  4. Add the static routes for the dmz4 interface:
    route dmz4 192.168.7.0 255.255.255.0 192.168.4.2 1
    route dmz4 192.168.8.0 255.255.255.0 192.168.4.2 1

    These command statements direct packets intended to the 192.168.6.0 and 192.168.7.0 networks back through the router at 192.168.4.2.