Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
3
Helpful
6
Replies

PIX routing

valsidalv
Level 1
Level 1

‎09-25-2007 11:38 PM - edited ‎02-21-2020 01:42 AM

Hello,

I'm using PIX 515. One of segment connected to this Pix is network 10.12.187.0/24. On this network is router Cisco 1841, which connect networks 10.12.188.0/26 and 10.12.187.0/24.

The problem is that host 10.12.187.x, which has default gateway Pix, cannot ping any host on 10.12.188.0/26. This works only if I setup route on host 10.12.187.1, that network 10.12.188.0 is behind the router.

But when this host has default gateway pix, it doesn't work.

On Pix is route 10.12.188.0 255.255.255.192 (router IP address)

and router has default gw this pix.

Could you please advice me?

Many thanks,

Vladislav

0 Helpful
6 Replies 6

grahambartlett
Level 1
Level 1

‎09-26-2007 05:36 AM

I can only imagine that you have an ACL on the PIX that will block this - i guess that traffic will be processed by the ACL in and out and that if you are not allowing 10.12.187.x to 10.12.188.0/26 then the pix will block this..

0 Helpful

acomiskey
Level 10
Level 10
In response to grahambartlett

‎09-26-2007 05:45 AM

Sounds like you are trying to hairpin traffic on the inside interface of the pix. You cannot do this in pix 6. What version are you running? Couldn't you just make the clients default gateway the router address?

0 Helpful

valsidalv
Level 1
Level 1
In response to acomiskey

‎09-26-2007 05:59 AM

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

0 Helpful

acomiskey
Level 10
Level 10
In response to valsidalv

‎09-26-2007 06:02 AM

"Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

valsidalv
Level 1
Level 1
In response to acomiskey

‎09-26-2007 06:10 AM

Ok. Thank you.

0 Helpful

valsidalv
Level 1
Level 1
In response to acomiskey

‎09-26-2007 06:04 AM

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card