Pix routing to internal networks

Unanswered Question
May 29th, 2009


I have a PIX 515E on 6.3(4) version with internal network This is connected to switch and workstations on the switch with GW

I also have another internet network 172.24.10.x which is connected via the main switch to Cisco 3750. This is as below

Pix ( - switch ( - internet

| |

| |

| -----------------------------|

| |

PC ( Layer 3 switch(

A VLAN is created on 3750 with and workstation has with GW

I added static routes on my pix and 3750

PIX - route inside

3750 - ip route 255.2555.255.0

I can ping,, from the pix unit but not from workstation

Can someone suggest on this?

Is this something to do with same-security-inter interface command?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
John Blakley Fri, 05/29/2009 - 13:23

You can ping from the pix: (vlan svi) (other vlan svi) (workstation?)

Is the device a workstation on the pix side?

A couple of things to check:

If the is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?



sarat1317 Sat, 05/30/2009 - 05:51 (workstation?)

>> Yes this is a workstation on vlan1 ( of 3750 switch

Is the device a workstation on the pix side?

>> Correct

A couple of things to check:

If the is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

>> I can only ping the VLAN IP but not other IPs. A trace from this workstation fails very first hop. Same thing when I trace from 3750 with source interface

I actually replaced a netgear router with the pix unit and that is when this problem started. I had the same inside routes on the netgear unit and worked fine.

Thank you

sarat1317 Tue, 06/02/2009 - 08:16

Please ignore my previous messages. Here is the updated design attached and I should be able to communicate between 192.168.20.x and 172.24.10.x networks.

Thanks in advance

sarat1317 Tue, 06/02/2009 - 12:32

PIX# sh route

outside 1 OTHER static

outside x.x.x.x 1 CONNECT static

inside 1 OTHER static

inside 1 CONNECT static

3750-S1#sh ip route

Routing entry for

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 1024

Routing Descriptor Blocks:

* directly connected, via Vlan10

Route metric is 0, traffic share count is 1

3750-S1#sh ip route | i

C is directly connected, Vlan10

John Blakley Tue, 06/02/2009 - 12:41

What happens if you try to ping the pix from the 3750 while sourcing from your address? Does it fail? If you can ping from the pix to the host on the address, you *should* be able to ping the pix from the same host.

If you trace the packet from the host, where does it fail? Does it get past the 3750?


Jon Marshall Tue, 06/02/2009 - 13:02


Your topology won't work.

With pix v6.x you cannot route traffic back out of the interface that the traffic entered on eg.

your client has a default-gateway of ie. the pix. So when it tries to ping any destination on 172.24.10.x the traffic is sent to the pix. But the pix cannot then send the traffic back out the same interface it was received on. And that's what the pix needs to do.

Solutions with the pix -

1) If you have a spare interface on the pix use that so the traffic doesn't have to routed back out the same interface

2) Upgrade your pix to v7.x or v8.x. With these versions of code there is a feature called hair-pinning which allows you to route traffic back out of the same interface it was received on.

Note v7.x/8.x code upgrade may well require you to upgrade the memory on your pix.


Jon Marshall Tue, 06/02/2009 - 13:11

"I learn something every day Jon"

Yep, so do i, keeps things interesting :-)

Thanks for the rating.


sarat1317 Thu, 06/04/2009 - 05:07

Thanks Jon. I had the same thought and indicated same security command in my first post and you confirmed that with a good explanation.

For some reason I could not upgrade to 7.x. Please find my post on this below.


However though not a good solution I could get this working for by adding a static route on pointing to the VLAN IP.

route -p ADD MASK

But I still want to get this right upgrading to 7.x.

Please advise


This Discussion