topic Re: Can the Pix Inside Interface route the traffic at the same s in Network Security

Can the Pix Inside Interface route the traffic at the same segment?

cindylee27 — Mon, 11 Mar 2019 09:22:46 GMT

Hi All,

I have a scenario here.

Try to connect a network range to the particular server but the gateway is pointing to the pix firewall interface.

Will the traffic works since the firewall interface is the same segment with the server?

i have attached the network diagram as attached.

Thanks..

Re: Can the Pix Inside Interface route the traffic at the same s

sachinraja — Mon, 22 Jan 2007 03:42:14 GMT

Hi cindee

I dont think the PIX will route the traffic on the same interface, as it received the traffic.. this was done for enhancing the security in PIX. which version of code are you running ?? I'm sure , with 6.x code this is not possible.. anyway, u can try out some options, to overcome your issue:

1) If possible put a static route for 172.16.1.0/24 network on the server, to go directly to the router, instead of coming to the PIX... Is this the only network you are going to reach through the router A - router B link ??

2) or change the default gateway of the servers to the router ethernet interface. On the router, you can either configure static routes or route-maps (source based routing), for some subnets to reach the PIX... This will be a really good option...

3) Put the router A on the DMZ port of the PIX, instead of connecting on inside.. by this, routing of packets will not be hindered.. but you gotta make sure of the configurations to be made in PIX, which increases administrative overhead !!!!

Hope this helps.. all the best.. rate replies if found useful..

Raj

Re: Can the Pix Inside Interface route the traffic at the same s

cindylee27 — Mon, 22 Jan 2007 05:12:13 GMT

Thanks Raj! 😉

But my problem here is the router A's routing is all pointing to the PIX Inside Interface, 10.10.6.1. Can i put a static route in the Router A to point directly to the SAP Server IP, 10.10.6.5??

Will the network 172.16.1.0/24 go directly to 10.10.6.5 if the route is at ROuter A?

Thanks again!

Re: Can the Pix Inside Interface route the traffic at the same s

sebastan_bach — Mon, 22 Jan 2007 05:34:36 GMT

hi yes this can be done with the 7.2 code on the pix or asa. u need to give a command on the pix for same-security-traffic permit intra-interface which will allow packts entering and leaving the same interface.

this was basically made for hub and spoke vpn but in 7.2 code it will also allow clear text traffic.

hope this helps

regards

sebastan

Re: Can the Pix Inside Interface route the traffic at the same s

cindylee27 — Mon, 22 Jan 2007 06:15:27 GMT

Thanks Sebastan,

The ver is 6.3.3.

Any other ways to be done to allow this traffic as I could not move the network to another interface, it should come from the inside interface as well.

Anything can be done on the router end ?

Thanks again.

Re: Can the Pix Inside Interface route the traffic at the same s

sachinraja — Mon, 22 Jan 2007 06:33:36 GMT

Hello cindy,

sebastan is right.. u can have a look at this following URL for 7.x ASA's, which allow intra-interface traffic:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

if u dont want to upgrade the pix to 7.x, i think the only possible solutions are the one discussed above in my post.. you can also think of investing on a L3 switch, if it makes sense on your network !!!

Let us know if you need any more help on this.

Raj

Re: Can the Pix Inside Interface route the traffic at the same s

cindylee27 — Tue, 23 Jan 2007 08:33:45 GMT

Thanks guy..

Have solved the problem. The SAP Server def. gateway is actually pointing to the router interface instead. bravo! case close. 🙂

Thanks again..will rate helpful post.