Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 internal route statement

Not that familiar with PIX. I added a route statement to send traffic for remote locations to the VPN box on the same subnet as the PIX:

route inside 1

I can ping 172.16.x.x addresses from the PIX box, but not from hosts with the PIX as the default gateway. Did I miss something else?

New Member

Re: PIX 501 internal route statement

By default PIX firewalls will not allow a packet to ingress/egress on the same interface.

7.0+ code trains will allow you to override this, but I don't think a 501 will support it.

If you have a spare interface on your 501 I would place the VPN box in a DMZ by itself so that the traffic is routed between firewall interfaces to get around this.

New Member

Re: PIX 501 internal route statement

Thanks, that answers my question. As usual, the real solution is more involved than I had hoped.

Re: PIX 501 internal route statement


PIX doesn't route packets out the same interface in which the packets arrived on. You may have to add a static route(s) to the remote locations on the host to point to the VPN device. Another option is to change the gateway of hosts to point to a router, if one is available, on the same segment which can then forward packets to VPN device or firewall depending on the destination.