Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX routing

Hello,

I'm using PIX 515. One of segment connected to this Pix is network 10.12.187.0/24. On this network is router Cisco 1841, which connect networks 10.12.188.0/26 and 10.12.187.0/24.

The problem is that host 10.12.187.x, which has default gateway Pix, cannot ping any host on 10.12.188.0/26. This works only if I setup route on host 10.12.187.1, that network 10.12.188.0 is behind the router.

But when this host has default gateway pix, it doesn't work.

On Pix is route 10.12.188.0 255.255.255.192 (router IP address)

and router has default gw this pix.

Could you please advice me?

Many thanks,

Vladislav

6 REPLIES
New Member

Re: PIX routing

I can only imagine that you have an ACL on the PIX that will block this - i guess that traffic will be processed by the ACL in and out and that if you are not allowing 10.12.187.x to 10.12.188.0/26 then the pix will block this..

Green

Re: PIX routing

Sounds like you are trying to hairpin traffic on the inside interface of the pix. You cannot do this in pix 6. What version are you running? Couldn't you just make the clients default gateway the router address?

New Member

Re: PIX routing

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

Green

Re: PIX routing

"Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

New Member

Re: PIX routing

Ok. Thank you.

New Member

Re: PIX routing

Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).

For testing reason I made permit ip any any ACL on both sides(router and pix).

Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.

Client 10.12.187.1 has default gw

10.12.187.6.

10.12.188.1(client)--x--------x----10.12.187.1(client)

router| pix |

| |

10.12.187.5 10.12.187.6

109
Views
3
Helpful
6
Replies
CreatePlease login to create content