topic PIX, as a router on a stick, inside int redirect ?? in Network Security

PIX, as a router on a stick, inside int redirect ??

mprescher — Mon, 11 Mar 2019 10:32:45 GMT

Not sure why the customer wants this but they want to use the inside int of a PIX as a default gateway for users on one inside network, 192.168.x.x to redirect to another inside network 10.x.x.x, I.e. router on a stick kind of deal.

I don't think the PIX can do this.

However, it does take a static route:

inside 192.16.20.0 255.255.255.0 10.4.2.31 1 OTHER static

...again both networks are on the inside.

Is this even possible?

Re: PIX, as a router on a stick, inside int redirect ??

srue — Tue, 19 Jun 2007 19:35:00 GMT

you probably need to use hairpinning for this...available in 7.x PIX OS

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml#ra-sol-2

if you have a spare interface, maybe you could just use that, and route traffic between these networks through the pix.

Re: PIX, as a router on a stick, inside int redirect ??

acomiskey — Tue, 19 Jun 2007 19:35:42 GMT

Yes it is possible only with version 7.

Re: PIX, as a router on a stick, inside int redirect ??

Jon Marshall — Tue, 19 Jun 2007 20:34:27 GMT

In addition to what's been suggested, depending on the topology of the inside networks and the model of your pix you can use 802.1q trunking on the pix inside interface and create logical interfaces, so you can assign one to the 192.168.x.x network and one to the 10.x.x.x network.

Jon

Re: PIX, as a router on a stick, inside int redirect ??

srue — Tue, 19 Jun 2007 23:04:23 GMT

Jon,

i thought of that also. Do you know if hairpinning needs enabled in that situation?

Re: PIX, as a router on a stick, inside int redirect ??

mprescher — Wed, 20 Jun 2007 00:39:31 GMT

I guess I could pick apart this vpn hairpinning technique but this case would not involve vpn's, address pools or other vpn related constructs. After further experimentation, the inside interface route back to the inside second network seems to work, though I get the 802.1q suggestion as a possible alternative solution.

Re: PIX, as a router on a stick, inside int redirect ??

acomiskey — Wed, 20 Jun 2007 00:59:32 GMT

Here's another hairpinning example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Re: PIX, as a router on a stick, inside int redirect ??

Jon Marshall — Sat, 23 Jun 2007 14:55:05 GMT

Hi Steven

Interesting question. As far as i know i the pix treats each logical interface as a separate interface to which you can apply access-lists etc. so i'm pretty sure you would not need hairpinning in this case.

Course, i'm going to have to test it sometime now that you've brought it up 🙂

Jon

Re: PIX, as a router on a stick, inside int redirect ??

JBDanford2002 — Sat, 23 Jun 2007 15:00:31 GMT

Using 801.q trunking you would not need hairpinning. The PIX would treat each VLAN as a sep interface.