Book Excerpt: Cisco Secure Internet Security Solutions, part 2 - Page 5
The route command is used by the PIX in the same manner that static routes and default routes are used on a router. The PIX has limited routing capabilities. It is necessary for you to specify routes. As in a router, the most specific route listed takes precedence. The syntax for the route command follows:
route interface_name ip_address netmask gateway_ip [ metric]The interface_name is any name previously defined by the nameif command. The ip_address is the address of the internal or external network. A default route can be set with either 0.0.0.0 or 0. The netmask is the subnet mask of the route. A default route can use either 0.0.0.0 or 0.
The gateway_ip is the IP address of the next hop for the network to which you are adding a route. For example, if your inside interface supported multiple networks connected with a router whose interface is 10.1.1.20, your route statements might appear as follows:
route inside 10.1.2.0 255.255.255.0 10.1.1.20 2 route inside 10.1.8.0 255.255.255.0 10.1.1.20 2 route inside 10.2.13.0 255.255.255.0 10.1.1.20 2 route inside 10.11.7.0 255.255.255.0 10.1.1.20 2Version 5.1 has been improved to specify automatically the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, the PIX creates a route statement entry that is not deleted when you use the clear route command. If the route command uses the IP address from one of the PIX's own interfaces as the gateway IP address, the PIX uses ARP for the destination IP address in the packet instead of issuing an ARP for the gateway IP address.
The metric parameter is used to specify the number of hops to gateway_ip, not to the ultimate destination of the IP packet. A default of 1 is assumed if this parameter is not used. If duplicate routes are entered with different metrics for the same gateway, the PIX changes the metric for that route and updates the metric for the route.
arp timeout Command
The arp timeout command is used to specify the time that an ARP entry remains in the ARP cache before it is flushed. The number shown is the time in seconds that an ARP entry remains in the cache. The default time is 14,400 seconds, or 4 hours. In the configuration, you change the default to 2 hours with the following:
arp timeout 7200
The write command works in the same way that the write command operates in a Cisco router. For those of you relatively new to Cisco equipment, this command has largely been replaced on routers with the copy command. The write command can take any of the following formats:
write net [[ server_ip_address]:[ filename]] write erase write floppy write memory write terminal write standbyThe write net command writes across a network to a Trivial File Transfer Protocol (TFTP) server with the filename specified. If no server IP address or filename is entered, the user is prompted.
The write erase command clears the Flash memory configuration. The write floppy command writes the configuration to the floppy disk, if the PIX has a floppy. The write memory command stores the configuration in RAM memory. The write terminal command shows the current configuration on the terminal. The write standby command is used to write the configuration to either a failover or standby, PIX'S RAM memory.At this point, you have completed a basic configuration. You are ready to move toward a more realistic situation, such as a network with a mail server and an FTP server (which will be covered in part 3).