The way back – Static routes

Our recommendation is to segment part of the network behind a routed firewall to protect backups and virtual hosts. The problem is that computers on our general network cannot find the secure network segment.

Our general network, including our virtual servers (not hosts) are on the network with a gateway of Consider a computer on the network C2 with an ip address of

Our secure segment is behind a routed firewall. That network segment is with a gateway of Consider our host server H1 at

Our routed firewall F1 has two interfaces – one in each network. These are and

So C2 tries to communicate with the H1. C2 determines that the address of H1 is outside of its subnet so it sends the frame to its default gateway. The gateway sends the packet out to the internet and not to F1. The communication does not find H1.

The solution to this problem is to add a route to the gateway router. In Cisco IOS this would be

ip route

With Cisco ASA it can be configured through the web interface

with a Fortigate it can also be done through the web interface

This complexity is difficult but necessary to maximally protect the secure network from a compromise of the office network segment.