04-06-2007 02:49 PM - edited 03-05-2019 03:21 PM
Not that familiar with PIX. I added a route statement to send traffic for remote locations to the VPN box on the same subnet as the PIX:
route inside 172.16.0.0 255.255.0.0 192.168.1.17 1
I can ping 172.16.x.x addresses from the PIX box, but not from hosts with the PIX as the default gateway. Did I miss something else?
04-06-2007 02:57 PM
By default PIX firewalls will not allow a packet to ingress/egress on the same interface.
7.0+ code trains will allow you to override this, but I don't think a 501 will support it.
If you have a spare interface on your 501 I would place the VPN box in a DMZ by itself so that the traffic is routed between firewall interfaces to get around this.
04-06-2007 03:18 PM
Thanks, that answers my question. As usual, the real solution is more involved than I had hoped.
04-06-2007 02:58 PM
Daniel,
PIX doesn't route packets out the same interface in which the packets arrived on. You may have to add a static route(s) to the remote locations on the host to point to the VPN device. Another option is to change the gateway of hosts to point to a router, if one is available, on the same segment which can then forward packets to VPN device or firewall depending on the destination.
HTH
Sundar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: