PIX routing

Unanswered Question
Sep 25th, 2007

Hello,

I'm using PIX 515. One of segment connected to this Pix is network 10.12.187.0/24. On this network is router Cisco 1841, which connect networks 10.12.188.0/26 and 10.12.187.0/24.

The problem is that host 10.12.187.x, which has default gateway Pix, cannot ping any host on 10.12.188.0/26. This works only if I setup route on host 10.12.187.1, that network 10.12.188.0 is behind the router.

But when this host has default gateway pix, it doesn't work.

On Pix is route 10.12.188.0 255.255.255.192 (router IP address)

and router has default gw this pix.

Could you please advice me?

Many thanks,

Vladislav

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
grahambartlett Wed, 09/26/2007 - 05:36

I can only imagine that you have an ACL on the PIX that will block this - i guess that traffic will be processed by the ACL in and out and that if you are not allowing 10.12.187.x to 10.12.188.0/26 then the pix will block this..

acomiskey Wed, 09/26/2007 - 05:45

Sounds like you are trying to hairpin traffic on the inside interface of the pix. You cannot do this in pix 6. What version are you running? Couldn't you just make the clients default gateway the router address?

valsidalv Wed, 09/26/2007 - 05:59

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

acomiskey Wed, 09/26/2007 - 06:02

"Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

valsidalv Wed, 09/26/2007 - 06:04

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

Actions

This Discussion