Allowing Traffic Through PIX 515

Unanswered Question
Jul 30th, 2007
User Badges:

Hi All,

I have a frame that is attached to my 2621 router. The 2621 feeds into a switch and the switch is connected to my Pix 515. Finally the PIX is connected to my LAN switches.

We have been VPNing into our office to use their ERP system that is hosted in the Taiwan office. We?re in the process of setting up a point to point. The Taiwan office has sent me a Netscreen firewall that is setup with the following addresses (untrusted ? 68.x.x.105) and (trusted

My Pix?s address is which I?ve been using for my gateway on all my clients. I have hooked the Netcreen?s untrusted side to the switch that is connected to the router, and the trusted side to my LAN switch.

I added the statement ?route inside 1? to the Pix?s configuration.

I need to pass traffic through the Pix. The specific address is I can ping the Netscreen ( from the PIX internally, but not from any of the clients on the network.

I am using the Netscreen temporarily so my clients do not have to connect to the Taiwan VPN before using the ERP application. I have temporarily fixed the situation by setting static IP?s on the clients and using at their gateway.

What statements do I need to add so network routes locally?

Thank you for much for your assistance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Mon, 07/30/2007 - 10:33
User Badges:
  • Blue, 1500 points or more

just so i understand what you're saying:

you have the PIX and netscreen installed in parallel? each one has an external interface, and each one has an internal face, right?

and on the PIX(which is normally the default gateway on your local pc's) you have the "route inside " statement?

in this set up, you can ping the address ONLY from the PIX, not from clients (when clients are configured with the PIX as their default gateway)?

By default the PIX cannot reroute traffic out the same interface at which it arrives. In fact, until 7.0, this wasn't even an option. If you are running any 7.x code on your PIX, you can use the following command: same-security-traffic permit intra-interface

and that *might* fix your problem.

you probably need 7.2(1) or later according to this note:


The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic.

cmencke Thu, 08/02/2007 - 05:02
User Badges:

Thank you for the reply. What you described is exactly what I was trying to accomplish. I'll re-think my strategy and try something else.


This Discussion