PIX 501 internal route statement

Unanswered Question
Apr 6th, 2007

Not that familiar with PIX. I added a route statement to send traffic for remote locations to the VPN box on the same subnet as the PIX:

route inside 172.16.0.0 255.255.0.0 192.168.1.17 1

I can ping 172.16.x.x addresses from the PIX box, but not from hosts with the PIX as the default gateway. Did I miss something else?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jasonrandolph Fri, 04/06/2007 - 14:57

By default PIX firewalls will not allow a packet to ingress/egress on the same interface.

7.0+ code trains will allow you to override this, but I don't think a 501 will support it.

If you have a spare interface on your 501 I would place the VPN box in a DMZ by itself so that the traffic is routed between firewall interfaces to get around this.

ciscospaz Fri, 04/06/2007 - 15:18

Thanks, that answers my question. As usual, the real solution is more involved than I had hoped.

sundar.palaniappan Fri, 04/06/2007 - 14:58

Daniel,

PIX doesn't route packets out the same interface in which the packets arrived on. You may have to add a static route(s) to the remote locations on the host to point to the VPN device. Another option is to change the gateway of hosts to point to a router, if one is available, on the same segment which can then forward packets to VPN device or firewall depending on the destination.

HTH

Sundar

Actions

This Discussion