PIX 506E Routing from Inside Interface network To outside interface network

Discussion in 'Cisco' started by marti314, Aug 4, 2005.

  1. marti314

    marti314 Guest

    I have a PIX 506E in which I want to route from a device on the inside
    interface subnet to a device on the outside interface subnet. Here is
    an example of what i want to do:


    192.168.1.5 --> Computer on 192.168.1.0/24 network
    192.168.1.1 --> IP address of inside interface on PIX


    192.168.1.5 uses 192.168.1.1 as default GW
    ------------------------------­------------------------------­-----
    192.168.2.5 --> Computer on 192.168.2.0/24 network
    192.168.2.1 --> IP address of the outside interface on PIX


    192.168.2.5 uses 192.168.2.1 as their gateway


    I want to be able to communicate between subnets using the PIX as a
    router. Basically I want 192.168.1.5 to be able to talk to 192.168.2.5

    and vice versa.


    Can someone please tell me if this is possible, and if it is, what
    would the routing statements on the pix look like?
    marti314, Aug 4, 2005
    #1
    1. Advertising

  2. In article <>,
    marti314 <> wrote:
    :I have a PIX 506E in which I want to route from a device on the inside
    :interface subnet to a device on the outside interface subnet. Here is
    :an example of what i want to do:

    :192.168.1.5 --> Computer on 192.168.1.0/24 network
    :192.168.1.1 --> IP address of inside interface on PIX
    :192.168.1.5 uses 192.168.1.1 as default GW

    :192.168.2.5 --> Computer on 192.168.2.0/24 network
    :192.168.2.1 --> IP address of the outside interface on PIX
    :192.168.2.5 uses 192.168.2.1 as their gateway

    :I want to be able to communicate between subnets using the PIX as a
    :router.

    That isn't possible.

    : Basically I want 192.168.1.5 to be able to talk to 192.168.2.5
    :and vice versa.

    :Can someone please tell me if this is possible,

    No. There is no way to turn off Adaptive Security in PIX 5.x or PIX 6.x,
    so the closest you can get is to allow connections in both directions.

    What's the difference? Well, suppose that 192.168.2.5 had a TCP connection
    open with 192.168.1.5, and that the connection was closed. Suppose
    192.168.2.5 then tried to send further TCP packets to that port
    (e.g., a "half-closed" situation.) Then if the PIX was acting as
    a router, it would go ahead and pass on the packets, and 192.168.1.5
    would do whatever it wanted with them (e.g., throw them away.)
    However, because you cannot turn off the Adaptive Security Algorithm,
    the PIX is going to discard those packets instead of routing them.

    You can use the PIX to have regular normal connections between the
    two sides, but you can't have the PIX act as a router in the
    normal sense of the word.


    :and if it is, what
    :would the routing statements on the pix look like?

    static (inside,outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

    access-list out2in permit ip host 192.168.2.5 host 192.168.1.5
    access-group out2in in interface outside

    Notice the lack of 'route' statements. You do not need any
    'route' statements on the PIX for communications between the
    IP range of the inside and outside interfaces.

    You *might* need to put a route statement into the WAN router, but
    probably not, as the PIX will proxy ARP 192.168.1.5 when configured
    as above.


    Note: you wouldn't -usually- configure in this way. -Usually-
    you would configure something more like

    static (inside,outside) 192.168.2.4 192.168.1.5 netmask 255.255.255.255
    access-list out2in permit ip host 192.168.2.5 host 192.168.2.4
    access-group out2in in interface outside

    In this configuration, 192.168.2.5 asks to talk to 192.168.2.4
    and the PIX internally converts the destination to 192.168.1.5 .
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
    Walter Roberson, Aug 5, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page