Allowing Traffic Through PIX 515

Unanswered Question
Jul 30th, 2007

Hi All,

I have a frame that is attached to my 2621 router. The 2621 feeds into a switch and the switch is connected to my Pix 515. Finally the PIX is connected to my LAN switches.

We have been VPNing into our office to use their ERP system that is hosted in the Taiwan office. We?re in the process of setting up a point to point. The Taiwan office has sent me a Netscreen firewall that is setup with the following addresses (untrusted ? 68.x.x.105) and (trusted 192.168.10.247).

My Pix?s address is 192.168.10.1 which I?ve been using for my gateway on all my clients. I have hooked the Netcreen?s untrusted side to the switch that is connected to the router, and the trusted side to my LAN switch.

I added the statement ?route inside 10.0.0.0 255.0.0.0 192.168.10.247 1? to the Pix?s configuration.

I need to pass 10.0.0.0 255.0.0.0 traffic through the Pix. The specific address is 10.27.1.2. I can ping the Netscreen (192.168.10.247) from the PIX internally, but not from any of the clients on the network.

I am using the Netscreen temporarily so my clients do not have to connect to the Taiwan VPN before using the ERP application. I have temporarily fixed the situation by setting static IP?s on the clients and using 192.168.10.247 at their gateway.

What statements do I need to add so 10.0.0.0 network routes locally?

Thank you for much for your assistance.

Chuck

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 07/30/2007 - 10:33

just so i understand what you're saying:

you have the PIX and netscreen installed in parallel? each one has an external interface, and each one has an internal face, right?

and on the PIX(which is normally the default gateway on your local pc's) you have the "route inside 10.0.0.0 255.0.0.0 192.168.10.247 " statement?

in this set up, you can ping the 10.27.1.2 address ONLY from the PIX, not from clients (when clients are configured with the PIX as their default gateway)?

By default the PIX cannot reroute traffic out the same interface at which it arrives. In fact, until 7.0, this wasn't even an option. If you are running any 7.x code on your PIX, you can use the following command: same-security-traffic permit intra-interface

and that *might* fix your problem.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

you probably need 7.2(1) or later according to this note:

7.2(1)

The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic.

cmencke Thu, 08/02/2007 - 05:02

Thank you for the reply. What you described is exactly what I was trying to accomplish. I'll re-think my strategy and try something else.

Actions

This Discussion