https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315362#M550577 <HTML><HEAD></HEAD><BODY><P>Do you have default route set to PIX IP address in both the hosts?</P><P>Thanks.</P></BODY></HTML> Sun, 13 Mar 2005 00:45:38 GMT rais 2005-03-13T00:45:38Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315359#M550574 <P>Hi,</P><P></P><P>I've LAN 192.168.4.0/24 with PIX /192.168.4.1/ which users has set as gateway and with Cisco805 /192.168.4.100/. And I've LAN 192.168.1.0 with Cisco805 /192.168.1.100/. I need on PIX set static route for LAN 192.168.1.0 where gw will be set 192.168.4.100.</P><P></P><P>In Windows desktop in LAN 192.168.4.0 I use:</P><P>route add 192.168.1.0 mask 255.255.255.0 192.168.4.100, can I set something like this on the PIX?</P><P>Thanx, Milan</P> Fri, 21 Feb 2020 08:00:29 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315359#M550574 milan.zmarzlak 2020-02-21T08:00:29Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315360#M550575 <HTML><HEAD></HEAD><BODY><P>You can use the following command:</P><P></P><P>route inside 192.168.1.0 255.255.255.0 192.168.4.100</P><P></P><P>HTH.</P></BODY></HTML> Sat, 12 Mar 2005 11:43:16 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315360#M550575 rais 2005-03-12T11:43:16Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315361#M550576 <HTML><HEAD></HEAD><BODY><P>I tried this, in this case I can ping from console on PIX to 192.168.1.100, but I can't ping from desktop in LAN 192.168.4.0</P><P>I restarted PIX, clear xlate, but nothing help me.</P><P>show route show me:</P><P>route inside 192.168.1.0 255.255.255.0 192.168.4.100 other</P><P></P><P>I tried route inside 192.168.1.100 255.255.255.255 192.168.4.100 but nothing happend.</P></BODY></HTML> Sat, 12 Mar 2005 13:00:17 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315361#M550576 milan.zmarzlak 2005-03-12T13:00:17Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315362#M550577 <HTML><HEAD></HEAD><BODY><P>Do you have default route set to PIX IP address in both the hosts?</P><P>Thanks.</P></BODY></HTML> Sun, 13 Mar 2005 00:45:38 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315362#M550577 rais 2005-03-13T00:45:38Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315363#M550578 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I am afraid it is not possible to use the PIX this way. Traffic arriving at a PIX interface can not be forwarded back through the same interface.</P><P>This is explained in the PIX FAQ document here, in an answer to "Can I operate the PIX in a "one armed" configuration?":</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml</A></P><P></P><P>If you have a vlan-capable switch, you can try setting up vlan interfaces on the PIX (PIX 501 won't work), one vlan for the first lan and another vlan for the router:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113437" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113437</A></P><P></P><P></P><P>HTH,</P><P>Mustafa</P></BODY></HTML> Sun, 13 Mar 2005 02:35:24 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315363#M550578 mhussein 2005-03-13T02:35:24Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315364#M550579 <HTML><HEAD></HEAD><BODY><P>Thanks Mustafa. I concur with you 100%.</P><P></P><P>Regards.</P></BODY></HTML> Sun, 13 Mar 2005 15:08:18 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315364#M550579 rais 2005-03-13T15:08:18Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315365#M550581 <HTML><HEAD></HEAD><BODY><P>Thank you for all. I believe that this help me.</P><P>Milan</P></BODY></HTML> Mon, 14 Mar 2005 06:41:24 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315365#M550581 milan.zmarzlak 2005-03-14T06:41:24Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315366#M550583 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have no experience with VLAN, can anybody help me?</P><P>that is my configuration on PIX, in this LAN I've Cisco Router 192.168.4.100:</P><P></P><P>PIX Version 6.3(3)133</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>hostname xxx</P><P>domain-name xxx</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>object-group service mail tcp </P><P> port-object eq pop3 </P><P> port-object eq smtp </P><P>access-list outbound01 permit icmp any any </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq domain </P><P>access-list outbound01 permit udp 192.168.4.0 255.255.255.0 any eq domain </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq aol </P><P>access-list outbound01 permit tcp any any eq ssh </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq lotusnotes </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq www </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq https </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 3389 </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 2439 </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq pop3 </P><P>access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq smtp </P><P>access-list inbound01 permit icmp any any </P><P>access-list inbound01 deny ip any any </P><P>access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.224 </P><P>access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.248 </P><P>access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.96 255.255.255.248 </P><P>pager lines 24</P><P>logging on</P><P>logging standby</P><P>logging console debugging</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 194.212.x.x 255.255.255.252</P><P>ip address inside 192.168.4.1 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location 192.168.4.143 255.255.255.255 inside</P><P>pdm location 192.168.4.187 255.255.255.255 inside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 1 192.168.4.0 255.255.255.0 0 0</P><P>access-group inbound01 in interface outside</P><P>access-group outbound01 in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 194.212.103.105 1</P><P>timeout xlate 3:00:00</P><P>http server enable</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>sysopt connection permit-pptp</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5</P><P>crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5</P><P>crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5</P><P>crypto dynamic-map outside_dyn_map 80 set pfs group2</P><P>crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5</P><P>crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100</P><P>crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map client authentication LOCAL</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption 3des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 86400</P><P>telnet 192.168.4.187 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh 192.168.4.143 255.255.255.255 inside</P><P>ssh timeout 30</P><P>dhcpd address 192.168.4.129-192.168.4.254 inside</P><P>dhcpd dns 212.65.x.x212.65.x.x</P><P>dhcpd lease 43200</P><P>dhcpd ping_timeout 750</P><P>dhcpd domain xxx</P><P>dhcpd enable inside</P></BODY></HTML> Mon, 14 Mar 2005 08:02:32 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315366#M550583 milan.zmarzlak 2005-03-14T08:02:32Z https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315367#M550584 <HTML><HEAD></HEAD><BODY><P>Now things look doable to me. Are you saying your router has two IP addresses: 192.168.4.100 and 192.168.1.100? </P><P></P><P>If answer to the above is affirmative then simply point default route of internal hosts to the Cisco router (not the PIX) and point the router's default gateway to the PIX.</P><P></P><P>Does it make sense?</P><P></P><P>Hope this helps.</P></BODY></HTML> Mon, 14 Mar 2005 12:39:36 GMT https://community.cisco.com/t5/network-security/static-route-on-pix/m-p/315367#M550584 rais 2005-03-14T12:39:36Z