Book Excerpt: Cisco Secure Internet Security Solutions, part 2 - Page 5

 By Cisco Press
Page 5 of 5   |  Back to Page 1
Print Article

route Command
The route command is used by the PIX in the same manner that static routes and default routes are used on a router. The PIX has limited routing capabilities. It is necessary for you to specify routes. As in a router, the most specific route listed takes precedence. The syntax for the route command follows:

 route interface_name ip_address netmask gateway_ip [ metric]
The interface_name is any name previously defined by the nameif command. The ip_address is the address of the internal or external network. A default route can be set with either or 0. The netmask is the subnet mask of the route. A default route can use either or 0.

The gateway_ip is the IP address of the next hop for the network to which you are adding a route. For example, if your inside interface supported multiple networks connected with a router whose interface is, your route statements might appear as follows:

 route inside 2
 route inside 2
 route inside 2
 route inside 2
Version 5.1 has been improved to specify automatically the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, the PIX creates a route statement entry that is not deleted when you use the clear route command. If the route command uses the IP address from one of the PIX's own interfaces as the gateway IP address, the PIX uses ARP for the destination IP address in the packet instead of issuing an ARP for the gateway IP address.

The metric parameter is used to specify the number of hops to gateway_ip, not to the ultimate destination of the IP packet. A default of 1 is assumed if this parameter is not used. If duplicate routes are entered with different metrics for the same gateway, the PIX changes the metric for that route and updates the metric for the route.

arp timeout Command
The arp timeout command is used to specify the time that an ARP entry remains in the ARP cache before it is flushed. The number shown is the time in seconds that an ARP entry remains in the cache. The default time is 14,400 seconds, or 4 hours. In the configuration, you change the default to 2 hours with the following:

 arp timeout 7200

write Command
The write command works in the same way that the write command operates in a Cisco router. For those of you relatively new to Cisco equipment, this command has largely been replaced on routers with the copy command. The write command can take any of the following formats:

 write net [[ server_ip_address]:[ filename]]
 write erase
 write floppy
 write memory
 write terminal
 write standby
The write net command writes across a network to a Trivial File Transfer Protocol (TFTP) server with the filename specified. If no server IP address or filename is entered, the user is prompted.

The write erase command clears the Flash memory configuration. The write floppy command writes the configuration to the floppy disk, if the PIX has a floppy. The write memory command stores the configuration in RAM memory. The write terminal command shows the current configuration on the terminal. The write standby command is used to write the configuration to either a failover or standby, PIX'S RAM memory.

At this point, you have completed a basic configuration. You are ready to move toward a more realistic situation, such as a network with a mail server and an FTP server (which will be covered in part 3).
This article was originally published on Sep 14, 2001
Get the Latest Scoop with Networking Update Newsletter