Adding an additional route to a PIX 525?

Discussion in 'Cisco' started by Chris, Mar 6, 2007.

  1. Chris

    Chris Guest

    I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
    for a bunch of client machines. I also have a site-to-site VPN
    connected for access to a remote office, it's local IP is
    172.16.1.188/16 and the remote end is 172.20.11.0/24.

    What I would like to do is be able to add a static route on the PIX
    525 to say that all traffic destined for 172.20.11.0/24 should be
    routed out via 172.16.1.188. I used this command on the PIX:

    route inside 172.20.11.0 255.255.255.0 172.16.1.188

    But, unfortunately, it didn't have the result that I wanted. It was
    successful in so far as it let the PIX 525 ping the PIX at the remote
    VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
    their default gateway set to 172.16.1.181 (i.e. the 525). What am I
    missing here?

    Thanks,


    Chris
     
    Chris, Mar 6, 2007
    #1
    1. Advertisements

  2. I believe we are in the same boat, or at least rowing next to each other.
    (-;

    I think that as someone replied to my message, you also need to add the
    remote networks to the proper ACLs (Inbound/Outbound NAT, & Crypto ACLs) to
    allow it to pass traffic to/from the remote network. You have to be sure
    that the traffic is not NATed on either end too.

    I'm pretty sure I have all of that in, though I'm missing something. I'm
    going one step further and have another subnet beyond the remote VPN subnet.

    Scott<-
     
    Scott Townsend, Mar 6, 2007
    #2
    1. Advertisements

  3. Chris

    chris Guest

    You can't do this on the Pix. You can't bounce packets off the inside
    interface and route them back inside the network to another host. I'm sure
    that Walter is sick of telling people this ;-)

    Chris2.
     
    chris, Mar 6, 2007
    #3
  4. Chris

    Havoc 25 Guest

    Hello,

    What you have to do is to define with ACL which traffic goes to the VPN
    (should be encrypted). PIX can't route packets throught the same port, so I
    presume that your VPN connection is made on your outside port.

    As I've said earlier, check Cisco.com, you have a lot of cookbooks regarding
    this specific sceanario.

    h.
     
    Havoc 25, Mar 6, 2007
    #4
  5. Chris

    chris Guest

    What he is trying to do is have the Pix as the default gateway on
    172.16.1.181 but then have that route traffic destined for the remote
    network back inside to a different gateway, 172.16.188 (doesn't say what
    that is). The pix won't 'route on a stick'.

    Chris.
     
    chris, Mar 6, 2007
    #5
  6. Chris

    Chris Guest

    Is another name for this a "hairpin" connection? It seems unfortunate
    that I can't get this accomplished... :-( having to add 10 static
    routes to 100 client machines is a lot more work than adding one
    static route on a PIX!


    Chris
     
    Chris, Mar 7, 2007
    #6
  7. Chris

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    Likes Received:
    0
    wht version of software u r uing on PIX ? if it is 7.XX thenn PIX does allow PIX on stick config and you can implemet the scenario u desire..use "same-security-traffic permit intra-interface" on pix 7.XX...
     
    swapnendu, Mar 8, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.