PIX, as a router on a stick, inside int redirect ??

Unanswered Question
Jun 19th, 2007

Not sure why the customer wants this but they want to use the inside int of a PIX as a default gateway for users on one inside network, 192.168.x.x to redirect to another inside network 10.x.x.x, I.e. router on a stick kind of deal.

I don't think the PIX can do this.

However, it does take a static route:

inside 1 OTHER static

...again both networks are on the inside.

Is this even possible?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mprescher Tue, 06/19/2007 - 17:39

I guess I could pick apart this vpn hairpinning technique but this case would not involve vpn's, address pools or other vpn related constructs. After further experimentation, the inside interface route back to the inside second network seems to work, though I get the 802.1q suggestion as a possible alternative solution.

Jon Marshall Tue, 06/19/2007 - 13:34


In addition to what's been suggested, depending on the topology of the inside networks and the model of your pix you can use 802.1q trunking on the pix inside interface and create logical interfaces, so you can assign one to the 192.168.x.x network and one to the 10.x.x.x network.


srue Tue, 06/19/2007 - 16:04


i thought of that also. Do you know if hairpinning needs enabled in that situation?

Jon Marshall Sat, 06/23/2007 - 07:55

Hi Steven

Interesting question. As far as i know i the pix treats each logical interface as a separate interface to which you can apply access-lists etc. so i'm pretty sure you would not need hairpinning in this case.

Course, i'm going to have to test it sometime now that you've brought it up :-)


JBDanford2002 Sat, 06/23/2007 - 08:00

Using 801.q trunking you would not need hairpinning. The PIX would treat each VLAN as a sep interface.


This Discussion