Routing via PIX/VPN

Unanswered Question
Jun 28th, 2007

I have an established VPN site to site between a PIX 501 at the remote end, and a 515e at the main site. Subnets are 192.168.50.x at the remote site, ( mask at main site end) which is working properly.

I can, with persistent routes on systems at each end, see the needed addresses on the 44/45 subnet from 50, and the 50 subnet from 44/45, and traffic moves appropriately.

At the main end I now have added a 192.168.53.x subnet, with a router at to handle it, and from the pix at I can see addresses on this subnet.

What I am trying to do is to get a route esablished from the pix at so that addresses on the 192.168.50.x subnet can see the 53.x subnet addresses (So I can place some VoIP phones at the remote site to connect to the PBX here, which is using the 53.x subnet.

I can ping addresses from the pix at the main site (45.1) on the 53.x subnet, and I can ping the 44.24 address of the router to the 53.x subnet from addresses on 50.x subnet.

I know I am missing a route from the 50.x subnet to find the next hop, but I cannot seem to determine where it goes from here. I would assume the 50.1 pix should have a route to 53.x with a gateway address of 50.1, and that would pass to the 45.1 pix, which has a route to the 44.24 as a gateway to 53.x, but I can't seem to make that work.

So, what am I missing, or am I missing the boat entirely on the process? I am good enough with tcp routing to understand the answer, but not quite good enough to spot it apparently.

Mike Martell

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Thu, 06/28/2007 - 15:27

Hi Mike,

first of all, routes are not enough. On the pix, you must change the access list for VPN (NAT 0) so that the .53 subnet is allowed to exchange crypted traffic with the .50 subnet.

Then PIXes don;t really pass routes to each others. They can do very simple rip or ospf, but perhaps is not worth for you do that yet. Basically, the route to .53 on pix 50.1 is just like the one to .44. Viceversa on the other pix.

Then, the router will need a route to .50 via 45.1

That should be it.

Hope this helps, please rate post if it does!

dingleypress Fri, 06/29/2007 - 07:19

I think that has me closer to it, but I am not quite there yet.

the 192.168.53.x network has been added to the acl at both ends to allow it to pass traffic from the 501 pix at the 50.x network end to the 515 pix at the 44.x end. A route is added on the 501 pix to take 53.x and route it to 45.1, and on 45.1 to route to 44.24 for the 53.x subnet.

At the 515pix, 45.1, I can ping (inside) the 50.1, 50.3 (a host beyond the pix for testing) , 44.24 (router to the 53 net), and 53.1 (host on 53 subnet) with no problems.

At the 501 pix, 50.1 , I can ping 50.3, 45.1 (515 pix), 44.24, but not the 53.1

I'm still missing something, but I just haven't found it.

haoshoken Thu, 07/05/2007 - 08:18

Maybe you could try doing a traceroute to help you in your troubleshooting? Very often this simple command got me out of many difficult situations. :)

Or maybe the route metrics are making your packets hopping about instead of reaching the destination?

Hope it helps.


This Discussion