Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
4
Replies

Intra-interface traffic

s_colombo
Level 1
Level 1

‎10-20-2009 11:34 PM - edited ‎03-11-2019 09:28 AM

Hi ,

I have a customer which has a PIX 6.x .

We added an internal network behind another router .

Clients have the pix as DG , and we wish not to chage it .

We've added routing info on the pix and set the PIX as DG of the additional router .

We know that by default pix does not route on the same interface and that on PIX7.x the command

same-security-traffic permit intra-interface

can be used to solve the issue .

I'd like to know if it would work on Pix 6.x as well or if we have to update it.

thanks

Stefano

Labels:
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎10-21-2009 01:06 AM

Stefano,

The PIX will not act as a router, it will not accept traffic from and interface and route is back out of the same interface.

HTH>

0 Helpful

s_colombo
Level 1
Level 1
In response to andrew.prince

‎10-21-2009 01:41 AM

Hi Andrew

I found this doc which seems related to my environment

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

0 Helpful

andrew.prince
Level 10
Level 10
In response to s_colombo

‎10-21-2009 03:39 AM

Yes - my error, I did not read in your original post the other ip subnet was behind another router - my mistake.

Re-reading your post again, no the option for inter-interface communication is not available on code 6.3(x) you need to upgrade to either 7.x or 8.x for that functionality.

Sorry for the confusion.

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-21-2009 06:01 AM

As the other poster mentioned, this is not possible on Pix 6. Even in Pix 7/8 with "same-security-traffic permit intra-interface" you still need to make sure that the return traffic is also routed through the Pix, so you'll need to do some fancy NAT.

You mentioned that "Clients have the pix as DG , and we wish not to chage it". Do you mean that you want the traffic to be firewalled (in that case, consider adding an interface to the Pix) or that you do not want to re-configure all the clients? In the latter case, you could simply swap the ip addresses of the router and the Pix?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card