Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
3
Helpful
8
Replies

PIX, as a router on a stick, inside int redirect ??

mprescher
Level 1
Level 1

‎06-19-2007 12:26 PM - edited ‎03-11-2019 03:32 AM

Not sure why the customer wants this but they want to use the inside int of a PIX as a default gateway for users on one inside network, 192.168.x.x to redirect to another inside network 10.x.x.x, I.e. router on a stick kind of deal.

I don't think the PIX can do this.

However, it does take a static route:

inside 192.16.20.0 255.255.255.0 10.4.2.31 1 OTHER static

...again both networks are on the inside.

Is this even possible?

m.

Labels:
0 Helpful
8 Replies 8

srue
Level 7
Level 7

‎06-19-2007 12:35 PM

you probably need to use hairpinning for this...available in 7.x PIX OS

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml#ra-sol-2

if you have a spare interface, maybe you could just use that, and route traffic between these networks through the pix.

0 Helpful

mprescher
Level 1
Level 1
In response to srue

‎06-19-2007 05:39 PM

I guess I could pick apart this vpn hairpinning technique but this case would not involve vpn's, address pools or other vpn related constructs. After further experimentation, the inside interface route back to the inside second network seems to work, though I get the 802.1q suggestion as a possible alternative solution.

0 Helpful

acomiskey
Level 10
Level 10

‎06-19-2007 12:35 PM

Yes it is possible only with version 7.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎06-19-2007 01:34 PM

Hi

In addition to what's been suggested, depending on the topology of the inside networks and the model of your pix you can use 802.1q trunking on the pix inside interface and create logical interfaces, so you can assign one to the 192.168.x.x network and one to the 10.x.x.x network.

Jon

0 Helpful

srue
Level 7
Level 7
In response to Jon Marshall

‎06-19-2007 04:04 PM

Jon,

i thought of that also. Do you know if hairpinning needs enabled in that situation?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to srue

‎06-23-2007 07:55 AM

Hi Steven

Interesting question. As far as i know i the pix treats each logical interface as a separate interface to which you can apply access-lists etc. so i'm pretty sure you would not need hairpinning in this case.

Course, i'm going to have to test it sometime now that you've brought it up :-)

Jon

0 Helpful

JBDanford2002
Level 1
Level 1

‎06-23-2007 08:00 AM

Using 801.q trunking you would not need hairpinning. The PIX would treat each VLAN as a sep interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card