Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing Traffic Through PIX 515

Hi All,

I have a frame that is attached to my 2621 router. The 2621 feeds into a switch and the switch is connected to my Pix 515. Finally the PIX is connected to my LAN switches.

We have been VPNing into our office to use their ERP system that is hosted in the Taiwan office. We?re in the process of setting up a point to point. The Taiwan office has sent me a Netscreen firewall that is setup with the following addresses (untrusted ? 68.x.x.105) and (trusted

My Pix?s address is which I?ve been using for my gateway on all my clients. I have hooked the Netcreen?s untrusted side to the switch that is connected to the router, and the trusted side to my LAN switch.

I added the statement ?route inside 1? to the Pix?s configuration.

I need to pass traffic through the Pix. The specific address is I can ping the Netscreen ( from the PIX internally, but not from any of the clients on the network.

I am using the Netscreen temporarily so my clients do not have to connect to the Taiwan VPN before using the ERP application. I have temporarily fixed the situation by setting static IP?s on the clients and using at their gateway.

What statements do I need to add so network routes locally?

Thank you for much for your assistance.



Re: Allowing Traffic Through PIX 515

just so i understand what you're saying:

you have the PIX and netscreen installed in parallel? each one has an external interface, and each one has an internal face, right?

and on the PIX(which is normally the default gateway on your local pc's) you have the "route inside " statement?

in this set up, you can ping the address ONLY from the PIX, not from clients (when clients are configured with the PIX as their default gateway)?

By default the PIX cannot reroute traffic out the same interface at which it arrives. In fact, until 7.0, this wasn't even an option. If you are running any 7.x code on your PIX, you can use the following command: same-security-traffic permit intra-interface

and that *might* fix your problem.

you probably need 7.2(1) or later according to this note:


The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic.

New Member

Re: Allowing Traffic Through PIX 515

Thank you for the reply. What you described is exactly what I was trying to accomplish. I'll re-think my strategy and try something else.

CreatePlease login to create content