Re: Static route on pix internal interface to internal gateway

TalonKarrde · ‎12-28-2005

Hi All,

I am trying to configure a PIX 525 which is currently the default gateway for our network.

I need to add a route to point traffic for a specific private subnet to a new router which is also on the LAN.

I have added a line as follows:

route internal 192.168.5.0 255.255.255.0 192.168.1.254

Where the pix has an IP of 192.168.1.5 on its internal interface. The router which provides access to 192.168.5.0/24 has the address 192.168.1.254

From the reading I have done, it appears that a PIX cannot forward traffic out of the same interface it entered on? Which means I would have to put the router on another interface directly connected to the PIX (new subnet).

Please let me know if there is any way to make this work, or do I need to use another physical interface on the PIX to get it happening.

Thanks.

johansens · ‎12-29-2005

According to all older knowledge about the PIX this should not be possible... but with the new 7.0 version I really don't know anymore..

Try this: "same-security-traffic permit intra-interface" if you are using a >=7.0 version..

It should not work, and the solution should be to use another interface or let the 192.168.1.254 router be the default gateway of your network as it can probably do the routing better.. :)

What has stumped me is that the hairpinning of the "same-security-traffic permit intra-interface" command is also allowing traffic from VPN-clients to exit out the same interface again (although traversing from a IPSec-tunnel to unencrypted form)... This is of course great news, but it's hard to read from the docs...

Did it help?

TalonKarrde · ‎12-29-2005

Hi,

I have enabled a second interface on the PIX, with a small subnet between the router and the PIX interface, and added a route for this to work.

route [new interface] [destination network and mask] [gateway router]

The security level of the new PIX interface is 99, and the inside interface is 100, so there should not be a security issue, however I cannot ping from the main lan to the remote lan.

Any ideas would be appreciated.

Cheers.

johansens · ‎12-30-2005

Hi again,

It would really help if you posted a part of your config so we can check it directly, but I'll give you a quick config-example here:

nameif ethernet0 inside security100

nameif ethernet1 routerdmz security99

access-list ALL permit ip any any

access-list to-newnet permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list to-inside permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group ALL in interface inside

access-group ALL in interface routerdmz

nat (inside) 0 access-list to-newnet

nat (routerdmz) 0 access-list to-inside

static (inside,routerdmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

ip address inside 192.168.1.5 255.255.255.0

ip address routerdmz 192.168.6.1 255.255.255.0

route routerdmz 192.168.5.0 255.255.255.0 192.168.6.2

And remember to enter the return-route on your router.. :)

Did it help?

jackko · ‎12-30-2005

with v6.x, providing nat/global or static has been configured, traffic from higher security level to lower security level should be permitted. however, ping is another story. an inbound acl needs to be applied on the new interface.

e.g.

access-list new_inbound permit icmp any any

further enable "debug ic t" in order to troubleshoot. on the other hand, a static route is needed on the router if the default gateway is not the pix.