12-28-2005 06:20 PM - edited 02-21-2020 12:36 AM
Hi All,
I am trying to configure a PIX 525 which is currently the default gateway for our network.
I need to add a route to point traffic for a specific private subnet to a new router which is also on the LAN.
I have added a line as follows:
route internal 192.168.5.0 255.255.255.0 192.168.1.254
Where the pix has an IP of 192.168.1.5 on its internal interface. The router which provides access to 192.168.5.0/24 has the address 192.168.1.254
From the reading I have done, it appears that a PIX cannot forward traffic out of the same interface it entered on? Which means I would have to put the router on another interface directly connected to the PIX (new subnet).
Please let me know if there is any way to make this work, or do I need to use another physical interface on the PIX to get it happening.
Thanks.
12-29-2005 03:02 AM
According to all older knowledge about the PIX this should not be possible... but with the new 7.0 version I really don't know anymore..
Try this: "same-security-traffic permit intra-interface" if you are using a >=7.0 version..
It should not work, and the solution should be to use another interface or let the 192.168.1.254 router be the default gateway of your network as it can probably do the routing better.. :)
What has stumped me is that the hairpinning of the "same-security-traffic permit intra-interface" command is also allowing traffic from VPN-clients to exit out the same interface again (although traversing from a IPSec-tunnel to unencrypted form)... This is of course great news, but it's hard to read from the docs...
Did it help?
12-29-2005 01:20 PM
Hi,
I have enabled a second interface on the PIX, with a small subnet between the router and the PIX interface, and added a route for this to work.
route [new interface] [destination network and mask] [gateway router]
The security level of the new PIX interface is 99, and the inside interface is 100, so there should not be a security issue, however I cannot ping from the main lan to the remote lan.
Any ideas would be appreciated.
Cheers.
12-30-2005 02:14 AM
Hi again,
It would really help if you posted a part of your config so we can check it directly, but I'll give you a quick config-example here:
nameif ethernet0 inside security100
nameif ethernet1 routerdmz security99
access-list ALL permit ip any any
access-list to-newnet permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list to-inside permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group ALL in interface inside
access-group ALL in interface routerdmz
nat (inside) 0 access-list to-newnet
nat (routerdmz) 0 access-list to-inside
static (inside,routerdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
ip address inside 192.168.1.5 255.255.255.0
ip address routerdmz 192.168.6.1 255.255.255.0
route routerdmz 192.168.5.0 255.255.255.0 192.168.6.2
And remember to enter the return-route on your router.. :)
Did it help?
12-30-2005 04:49 AM
with v6.x, providing nat/global or static has been configured, traffic from higher security level to lower security level should be permitted. however, ping is another story. an inbound acl needs to be applied on the new interface.
e.g.
access-list new_inbound permit icmp any any
further enable "debug ic t" in order to troubleshoot. on the other hand, a static route is needed on the router if the default gateway is not the pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide