Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can the Pix Inside Interface route the traffic at the same segment?

Hi All,

I have a scenario here.

Try to connect a network range to the particular server but the gateway is pointing to the pix firewall interface.

Will the traffic works since the firewall interface is the same segment with the server?

i have attached the network diagram as attached.

Thanks..

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Can the Pix Inside Interface route the traffic at the same s

Hi cindee

I dont think the PIX will route the traffic on the same interface, as it received the traffic.. this was done for enhancing the security in PIX. which version of code are you running ?? I'm sure , with 6.x code this is not possible.. anyway, u can try out some options, to overcome your issue:

1) If possible put a static route for 172.16.1.0/24 network on the server, to go directly to the router, instead of coming to the PIX... Is this the only network you are going to reach through the router A - router B link ??

2) or change the default gateway of the servers to the router ethernet interface. On the router, you can either configure static routes or route-maps (source based routing), for some subnets to reach the PIX... This will be a really good option...

3) Put the router A on the DMZ port of the PIX, instead of connecting on inside.. by this, routing of packets will not be hindered.. but you gotta make sure of the configurations to be made in PIX, which increases administrative overhead !!!!

Hope this helps.. all the best.. rate replies if found useful..

Raj

New Member

Re: Can the Pix Inside Interface route the traffic at the same s

hi yes this can be done with the 7.2 code on the pix or asa. u need to give a command on the pix for same-security-traffic permit intra-interface which will allow packts entering and leaving the same interface.

this was basically made for hub and spoke vpn but in 7.2 code it will also allow clear text traffic.

hope this helps

regards

sebastan

6 REPLIES

Re: Can the Pix Inside Interface route the traffic at the same s

Hi cindee

I dont think the PIX will route the traffic on the same interface, as it received the traffic.. this was done for enhancing the security in PIX. which version of code are you running ?? I'm sure , with 6.x code this is not possible.. anyway, u can try out some options, to overcome your issue:

1) If possible put a static route for 172.16.1.0/24 network on the server, to go directly to the router, instead of coming to the PIX... Is this the only network you are going to reach through the router A - router B link ??

2) or change the default gateway of the servers to the router ethernet interface. On the router, you can either configure static routes or route-maps (source based routing), for some subnets to reach the PIX... This will be a really good option...

3) Put the router A on the DMZ port of the PIX, instead of connecting on inside.. by this, routing of packets will not be hindered.. but you gotta make sure of the configurations to be made in PIX, which increases administrative overhead !!!!

Hope this helps.. all the best.. rate replies if found useful..

Raj

New Member

Re: Can the Pix Inside Interface route the traffic at the same s

Thanks Raj! ;)

But my problem here is the router A's routing is all pointing to the PIX Inside Interface, 10.10.6.1. Can i put a static route in the Router A to point directly to the SAP Server IP, 10.10.6.5??

Will the network 172.16.1.0/24 go directly to 10.10.6.5 if the route is at ROuter A?

Thanks again!

New Member

Re: Can the Pix Inside Interface route the traffic at the same s

hi yes this can be done with the 7.2 code on the pix or asa. u need to give a command on the pix for same-security-traffic permit intra-interface which will allow packts entering and leaving the same interface.

this was basically made for hub and spoke vpn but in 7.2 code it will also allow clear text traffic.

hope this helps

regards

sebastan

New Member

Re: Can the Pix Inside Interface route the traffic at the same s

Thanks Sebastan,

The ver is 6.3.3.

Any other ways to be done to allow this traffic as I could not move the network to another interface, it should come from the inside interface as well.

Anything can be done on the router end ?

Thanks again.

Re: Can the Pix Inside Interface route the traffic at the same s

Hello cindy,

sebastan is right.. u can have a look at this following URL for 7.x ASA's, which allow intra-interface traffic:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

if u dont want to upgrade the pix to 7.x, i think the only possible solutions are the one discussed above in my post.. you can also think of investing on a L3 switch, if it makes sense on your network !!!

Let us know if you need any more help on this.

Raj

New Member

Re: Can the Pix Inside Interface route the traffic at the same s

Thanks guy..

Have solved the problem. The SAP Server def. gateway is actually pointing to the router interface instead. bravo! case close. :)

Thanks again..will rate helpful post.

241
Views
0
Helpful
6
Replies
CreatePlease login to create content