Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
2
Replies

Routing Packets between Multiple Networks Inside PIX V7

ganesh.atreya
Level 1
Level 1

‎01-17-2006 05:14 AM - edited ‎02-21-2020 12:38 AM

Hi,

I have 5 networks with 2 routers behind PIX 7. I tried to assign route to different Networks located inside Pix in Pix. A Sample configuration is

route inside x.y.z.0 255.255.255.0 a.b.c.1

The local segment has inside interface of PIX as the default Gateway. I have problem reaching the networks. When I issue show route command I can see the static routes in the routing table.

I doubt if PIX doesnt allow packet to be routed back on the same interface on which it received the packet. Please do confirm if my understand is right

0 Helpful
2 Replies 2

pmacdanel
Level 1
Level 1

‎01-17-2006 02:04 PM

Hello,

I have come accross a similar problem to the above where a customer had several subnets that were located behind a router that was attached to the local LAN and the hosts on the local LAN had a PIX 7.x as their default gateway, the PIX had routes to those subnets back out the LAN interface to the router -

However, even with the 'same-security-traffic permit intra-interface' command the traffic didn't go back out - it was dropped with a 'No translation group found' error in syslog

their was also a nat 0 ACL command referencing the local lan->remote subnets, I don't understand why this didn't work?

Thanks,

Patrick

0 Helpful

etamminga
Spotlight
Spotlight
In response to pmacdanel

‎01-18-2006 12:13 PM

Hi,

Pix OS (even version 7.0) cannot route packets out the same interface they came in on.

There is one exception to this rule though, and that is traffic coming in tunneled/encapsulated (VPN related). This kind of traffic IS allowed to go out the same interface it came in on, but only if "same-security-traffic permit intra-interface" has been enabled.

Users that do need their traffic to go out the interface it came in on need to change their routing infrastructure so other routers can handle this task. Often this needs changing default gateways on hosts and setting up a router to do the internal routing.

Regards,

Erik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card