Cisco Support Community
Community Member

PIX Firewall as VPN Peer located behind 3rd Party Firewall - Routing Issue?

We are deploying a PIX firewall for a site-to-site vpn at a remote company location. The PIX will be behind a third-party firewall product. Since the PIX will not be the default gateway, what is the best way to handle the routing of traffic destined to the remote peer network to the PIX vs. the current third-party firewall (also the current default gateway)? Insert a route statement on the third-party firewall redirecting traffic to inside interface of PIX? Create static route statements that remain persistent on PCs?

I had problems findind Cisco documentation on the above. If anyone knows of documentation please post.



Cisco Employee

Re: PIX Firewall as VPN Peer located behind 3rd Party Firewall -

The best way here would be to add a static route on the 3rd party firewall for the remote LAN, and point that to the inside interface of the PIX. The 3rd party firewall will redirect the packets back to the PIX and hopefully send an ICMP redirect to the client to tell it to send all subsequent packets directly to the PIX.

You might want to just check that the 3rd party firewall does support redirection of packets back out the same interface and sending ICMP redirects, cause the PIX doesn't do this.

Don't think there's any docs on this specifically. This is definately a better way to do it than adding static routes onto every PC.

CreatePlease to create content