https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53015#M623533 <HTML><HEAD></HEAD><BODY><P>Yes, thanks for the info. </P></BODY></HTML> Thu, 26 Sep 2002 23:07:40 GMT r-remien 2002-09-26T23:07:40Z https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53013#M623531 <P>Setup for outside VLAN:</P><P></P><P>1. Pix outside interface IP address 192.168.1.1</P><P>2. Internet router e0/0 - 192.168.1.3</P><P>3. default route on Pix - 0.0.0.0. 0.0.0.0 192.168.1.3</P><P>4. default route on Internet router - 0.0.0.0. 0.0.0.0 &lt;next hop to ISP&gt;</P><P>I do not have a route that points to the Pix for Inbound traffic.</P><P></P><P>2 questions:</P><P></P><P>1. Without a route back to the Pix on my Internet router for inbound traffic, how does the router know how to send it to the Pix?</P><P>2. Will this scenario work?</P><P>a. Internet router - 192.168.1.3</P><P>b. Outside Pix 1 interface - 192.168.1.1</P><P>c. Outside Pix 2 interface - 192.168.1.2</P><P></P><P>2 pix firewalls on the same outside subnet as my Internet router. If I have a a 192.168.1.0/27 subnet and I have the following statics:</P><P></P><P>Pix 1 - Static (inside,outside) 192.168.1.4 10.1.1.1 netmask 255.255.255.255 (Inside Lan 1)</P><P></P><P>Pix 2 - Static (inside,outside) 192.168.1.5 172.16.1.1 netmask 255.255.255.255 (Inside Lan 2)</P><P></P><P>Is it possible to route two different static translations from the same subnet on the outside from the same Internet router to 2 different LANs behind 2 different Pixes? If not, does anyone have another suggestion?</P><P></P><P>Thanks,</P><P>RJ</P><P></P> Fri, 21 Feb 2020 06:16:20 GMT https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53013#M623531 r-remien 2020-02-21T06:16:20Z https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53014#M623532 <HTML><HEAD></HEAD><BODY><P>1. It will work if you are using NAT or a static map for your internal IPs and the translated IP will be on the 192.168.1.x subnet (and then the router has that route -directly connectd). If the NAT IP were on a different subnet, it would fail.</P><P>2. Yes it is possible to have that scenario, as the 2 PIXs will only answer/translate to the IPs it knows about. As long as the 2 PIXs don't have the same translation rules (both would answer for the same destination), you are fine. They wouldn't know about each other or care.</P><P>An alternative to this, and one that increases redundancy, is to have the PIXs in failover and have all rules in the same place (downside is you need failover licence and more interfaces - 2 per subnet).</P><P>Hope it helps.</P><P>Steve</P></BODY></HTML> Thu, 26 Sep 2002 14:13:53 GMT https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53014#M623532 steve.barlow 2002-09-26T14:13:53Z https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53015#M623533 <HTML><HEAD></HEAD><BODY><P>Yes, thanks for the info. </P></BODY></HTML> Thu, 26 Sep 2002 23:07:40 GMT https://community.cisco.com/t5/network-security/routing-between-a-pix-and-internet-router/m-p/53015#M623533 r-remien 2002-09-26T23:07:40Z