Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static route on pix internal interface to internal gateway

Hi All,

I am trying to configure a PIX 525 which is currently the default gateway for our network.

I need to add a route to point traffic for a specific private subnet to a new router which is also on the LAN.

I have added a line as follows:

route internal

Where the pix has an IP of on its internal interface. The router which provides access to has the address

From the reading I have done, it appears that a PIX cannot forward traffic out of the same interface it entered on? Which means I would have to put the router on another interface directly connected to the PIX (new subnet).

Please let me know if there is any way to make this work, or do I need to use another physical interface on the PIX to get it happening.



Re: Static route on pix internal interface to internal gateway

According to all older knowledge about the PIX this should not be possible... but with the new 7.0 version I really don't know anymore..

Try this: "same-security-traffic permit intra-interface" if you are using a >=7.0 version..

It should not work, and the solution should be to use another interface or let the router be the default gateway of your network as it can probably do the routing better.. :)

What has stumped me is that the hairpinning of the "same-security-traffic permit intra-interface" command is also allowing traffic from VPN-clients to exit out the same interface again (although traversing from a IPSec-tunnel to unencrypted form)... This is of course great news, but it's hard to read from the docs...

Did it help?

New Member

Re: Static route on pix internal interface to internal gateway


I have enabled a second interface on the PIX, with a small subnet between the router and the PIX interface, and added a route for this to work.

route [new interface] [destination network and mask] [gateway router]

The security level of the new PIX interface is 99, and the inside interface is 100, so there should not be a security issue, however I cannot ping from the main lan to the remote lan.

Any ideas would be appreciated.



Re: Static route on pix internal interface to internal gateway

Hi again,

It would really help if you posted a part of your config so we can check it directly, but I'll give you a quick config-example here:

nameif ethernet0 inside security100

nameif ethernet1 routerdmz security99

access-list ALL permit ip any any

access-list to-newnet permit ip

access-list to-inside permit ip

access-group ALL in interface inside

access-group ALL in interface routerdmz

nat (inside) 0 access-list to-newnet

nat (routerdmz) 0 access-list to-inside

static (inside,routerdmz) netmask

ip address inside

ip address routerdmz

route routerdmz

And remember to enter the return-route on your router.. :)

Did it help?


Re: Static route on pix internal interface to internal gateway

with v6.x, providing nat/global or static has been configured, traffic from higher security level to lower security level should be permitted. however, ping is another story. an inbound acl needs to be applied on the new interface.


access-list new_inbound permit icmp any any

further enable "debug ic t" in order to troubleshoot. on the other hand, a static route is needed on the router if the default gateway is not the pix.