Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
5
Helpful
9
Replies

Routing with a Pix

Go to solution
ianselby1
Level 1
Level 1

‎06-14-2007 03:33 AM - edited ‎03-03-2019 05:26 PM

Hi All,

We have a pix firewall on our network which acts as the gateway to the internet. We have however recently deployed an ISDN router on the network which will send specific traffic from an application out over an ISDN line. What I need to be able to do is route any traffic to a specific address 195.130.156.70 to the new router 192.168.0.5 as opposed to it going out via our pix. I would be grateful for any help on how to go about this.

we are using a pix 515

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ianselby1

‎06-14-2007 10:28 PM

Ian

I think your diagram basically confirms what i was saying. You have a pix acting as your default gateway for all your clients. So when your Jade client sends traffic which is meant to go over the ISDN line it first goes to the inside interface of the pix. You then have a route on the pix to say to get to the remote network go back out of the pix inside interface and to the 2800.

If i have interpreted this correctly and your pix is running version 6.x then this won't work. If you are running v7.x you can do this - it's called hairpinning.

If you can't do hairpinning you have a couple of options

1) Transfer the pix inside interface IP address to the 2800 and then add a default route on the 2800 to point back to the pix inside interface. This would mean you don't have to update the clients default-gateway but without knowing your full setup it may cause other problems.

2) Add a host specific route on each client that needs to talk down the ISDN line. If it's windows you can add in a cmd prompt window

route add "remote IP" mask 255.255.255.255 "2800 ethernet interface"

Hope this makes sense.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
pciaccio
Level 4
Level 4

‎06-14-2007 03:38 AM

Use a sttic route on your router.

IP ROUTE 195.130.156.70 255.255.255.255

This shoulf forward any traffic destined to your 195 address to the ISDN router and all other traffic to go its normal route (thru PIX)...Good Luck..Please rate...

Go to solution
ianselby1
Level 1
Level 1
In response to pciaccio

‎06-14-2007 03:44 AM

I think i tried this, but will give it another go. can i just confirm that you meant configure a static route on the pix.

Thanks

0 Helpful

Go to solution
pciaccio
Level 4
Level 4
In response to ianselby1

‎06-14-2007 06:31 AM

You can add it onto the PIX but the better place to set it would be the router...

0 Helpful

Go to solution
ianselby1
Level 1
Level 1
In response to pciaccio

‎06-14-2007 07:00 AM

I understand, however the gateway for all of our pc's is the pix itself, we need to re-direct the traffic from the pix to the router. (hope that makes sense)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-14-2007 04:13 AM

Hi

What version is the pix running ? . If it is version 6.x and the traffic you want to go via the ISDN goes to the inside interface of the pix and then the pix has to forward it back out of the same interface it won't work .

You will need pix version 7.x to be able to do that.

If you don't have another router in your network then you could look to deploy host specific routes ( which is messy ) or upgrade your pix to v 7.x if it isn't already there.

Jon

0 Helpful

Go to solution
ianselby1
Level 1
Level 1
In response to Jon Marshall

‎06-14-2007 07:06 AM

Hi Jon,

I am not sure what version we are running but will take a look and see if I can find out. I am not entirely certain I follow what you are saying. To try and clarify what it is we are trying to achieve I have attached a diagram. The big curvy arrows indicates the flow of traffic i believe we need to achieve.

Preview file
31 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ianselby1

‎06-14-2007 10:28 PM

Ian

I think your diagram basically confirms what i was saying. You have a pix acting as your default gateway for all your clients. So when your Jade client sends traffic which is meant to go over the ISDN line it first goes to the inside interface of the pix. You then have a route on the pix to say to get to the remote network go back out of the pix inside interface and to the 2800.

If i have interpreted this correctly and your pix is running version 6.x then this won't work. If you are running v7.x you can do this - it's called hairpinning.

If you can't do hairpinning you have a couple of options

1) Transfer the pix inside interface IP address to the 2800 and then add a default route on the 2800 to point back to the pix inside interface. This would mean you don't have to update the clients default-gateway but without knowing your full setup it may cause other problems.

2) Add a host specific route on each client that needs to talk down the ISDN line. If it's windows you can add in a cmd prompt window

route add "remote IP" mask 255.255.255.255 "2800 ethernet interface"

Hope this makes sense.

Jon

0 Helpful

Go to solution
anandramapathy
Level 3
Level 3
In response to Jon Marshall

‎06-14-2007 10:44 PM

If you have an L3 switch on your LAN before the PIX, then you can also put a route map on teh L3 switch to match the source IP of Jade & then set the next hop as ISDN router.

HTH- pls rate all useful posts

Go to solution
ianselby1
Level 1
Level 1
In response to Jon Marshall

‎06-18-2007 04:56 AM

Jon,

you have certainly hit the nail on the head. As we are currently running pix 6.3 and cannot make use of 'hairpinning' that leaves us with the two options you mentioned. For now we will opt for option 2 with a static route on the client machine. As we are only talking about three users this poses no problem for us.

I guess the only thing left for me to do now is investigate how we can upgrade to pix 7.

Thanks to everyone who has provided help and insight into this matter.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card