Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
6
Replies

Can the Pix Inside Interface route the traffic at the same segment?

Go to solution
cindylee27
Level 1
Level 1

‎01-21-2007 07:16 PM - edited ‎03-11-2019 02:22 AM

Hi All,

I have a scenario here.

Try to connect a network range to the particular server but the gateway is pointing to the pix firewall interface.

Will the traffic works since the firewall interface is the same segment with the server?

i have attached the network diagram as attached.

Thanks..

Labels:
21652-172.16.1.0 to 10.10.6.5.vsd
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9

‎01-21-2007 07:42 PM

Hi cindee

I dont think the PIX will route the traffic on the same interface, as it received the traffic.. this was done for enhancing the security in PIX. which version of code are you running ?? I'm sure , with 6.x code this is not possible.. anyway, u can try out some options, to overcome your issue:

1) If possible put a static route for 172.16.1.0/24 network on the server, to go directly to the router, instead of coming to the PIX... Is this the only network you are going to reach through the router A - router B link ??

2) or change the default gateway of the servers to the router ethernet interface. On the router, you can either configure static routes or route-maps (source based routing), for some subnets to reach the PIX... This will be a really good option...

3) Put the router A on the DMZ port of the PIX, instead of connecting on inside.. by this, routing of packets will not be hindered.. but you gotta make sure of the configurations to be made in PIX, which increases administrative overhead !!!!

Hope this helps.. all the best.. rate replies if found useful..

Raj

View solution in original post

0 Helpful

Go to solution
sebastan_bach
Level 4
Level 4
In response to cindylee27

‎01-21-2007 09:34 PM

hi yes this can be done with the 7.2 code on the pix or asa. u need to give a command on the pix for same-security-traffic permit intra-interface which will allow packts entering and leaving the same interface.

this was basically made for hub and spoke vpn but in 7.2 code it will also allow clear text traffic.

hope this helps

regards

sebastan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
sachinraja
Level 9
Level 9

‎01-21-2007 07:42 PM

Hi cindee

I dont think the PIX will route the traffic on the same interface, as it received the traffic.. this was done for enhancing the security in PIX. which version of code are you running ?? I'm sure , with 6.x code this is not possible.. anyway, u can try out some options, to overcome your issue:

1) If possible put a static route for 172.16.1.0/24 network on the server, to go directly to the router, instead of coming to the PIX... Is this the only network you are going to reach through the router A - router B link ??

2) or change the default gateway of the servers to the router ethernet interface. On the router, you can either configure static routes or route-maps (source based routing), for some subnets to reach the PIX... This will be a really good option...

3) Put the router A on the DMZ port of the PIX, instead of connecting on inside.. by this, routing of packets will not be hindered.. but you gotta make sure of the configurations to be made in PIX, which increases administrative overhead !!!!

Hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

Go to solution
cindylee27
Level 1
Level 1
In response to sachinraja

‎01-21-2007 09:12 PM

Thanks Raj! ;)

But my problem here is the router A's routing is all pointing to the PIX Inside Interface, 10.10.6.1. Can i put a static route in the Router A to point directly to the SAP Server IP, 10.10.6.5??

Will the network 172.16.1.0/24 go directly to 10.10.6.5 if the route is at ROuter A?

Thanks again!

0 Helpful

Go to solution
sebastan_bach
Level 4
Level 4
In response to cindylee27

‎01-21-2007 09:34 PM

hi yes this can be done with the 7.2 code on the pix or asa. u need to give a command on the pix for same-security-traffic permit intra-interface which will allow packts entering and leaving the same interface.

this was basically made for hub and spoke vpn but in 7.2 code it will also allow clear text traffic.

hope this helps

regards

sebastan

0 Helpful

Go to solution
cindylee27
Level 1
Level 1
In response to sebastan_bach

‎01-21-2007 10:15 PM

Thanks Sebastan,

The ver is 6.3.3.

Any other ways to be done to allow this traffic as I could not move the network to another interface, it should come from the inside interface as well.

Anything can be done on the router end ?

Thanks again.

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to cindylee27

‎01-21-2007 10:33 PM

Hello cindy,

sebastan is right.. u can have a look at this following URL for 7.x ASA's, which allow intra-interface traffic:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

if u dont want to upgrade the pix to 7.x, i think the only possible solutions are the one discussed above in my post.. you can also think of investing on a L3 switch, if it makes sense on your network !!!

Let us know if you need any more help on this.

Raj

0 Helpful

Go to solution
cindylee27
Level 1
Level 1
In response to sachinraja

‎01-23-2007 12:33 AM

Thanks guy..

Have solved the problem. The SAP Server def. gateway is actually pointing to the router interface instead. bravo! case close. :)

Thanks again..will rate helpful post.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card