Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
4
Replies

PIX 515 Static Routes

s.gilbrook
Level 1
Level 1

‎04-26-2004 07:27 AM - edited ‎02-20-2020 11:22 PM

We are in the process of installing a PIX 515E (running ver 6.3.1).

We are currently only using 2 interfaces, an inside (LAN) interface and outside (Internet) interface. There is a 3rd interface, but this is currently not in use.

The inside interface on the PIX sits on a 10.0.0.0/8 IP range and can see the LAN OK, it also allows connections from the 10.0.0.0/8 network out to the Internet OK. The problem is this:

There are servers on the 10.0.0.0/8 LAN which need to access Citrix services on a 172.16.0.0/16 LAN (located in different buildings that are connected by Fiber, but are administered by different organisations).

The 172.16.0.0 LAN is on the inside interface of an exisitng PIX 515E (which has a DMZ to the 10.0.0.0/8 LAN). The terminals that connect FROM the 10.0.0.0/8 LAN have their default gateway set-up as the LAN interface of the new PIX, however, the new PIX does not seem to be able to reach the 172.16.0.0/16 network (even though it is on the same physical LAN as the DMZ interface of the existing PIX).

We have tried putting the follwing static route into the new PIX:

inside 172.16.0.0 255.255.0.0 10.0.0.253 1 OTHER static

Are there any issues with routing inside to inside (so to speak !)

Thanks.

0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎04-26-2004 07:58 AM

The pix cannot route traffic back on the same interface on which it was received.

You can setup the 3rd interface of your new pix to connect to the existing pix. Does the existing pix also have an unused interface? What level of pix code does it run.

Since your new pix has 6.3 code you can use logical interfaces and setup a seperate subnet for a transit network for pix-new to connect to pix-current. The subnet has to be something other than 10/8 and 172/16/24. You will need to NAT the 10/8 inside clients to connect to the citrix servers, becasue it the pix-current sees them as they are (10/8) it will try to send the traffic direct to them and fail as ASA will note that the connection originated on an interface other than the dmz on that pix.

I hope this is clear. If not let me know and I'll try to explain better. But if you could answer my questions, it would help.

0 Helpful

s.gilbrook
Level 1
Level 1
In response to ehirsel

‎04-27-2004 12:09 AM

Thanks for the reply.

The existing PIX is running version 6.3(3) and unfortunatley does not have a spare interface.

Do you know where I could get some documentation on setting up a logical interface on the PIX ?

Thanks.

0 Helpful

ehirsel
Level 6
Level 6
In response to s.gilbrook

‎04-27-2004 03:37 AM

This link should take you to the pix 6.3 guide to getting the pix to work with vlan support. If the link does not work, go to www.cisco.com's technical documents, and do a search for pix 6.3 firewall and vpn config guide.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411

0 Helpful

s.gilbrook
Level 1
Level 1
In response to ehirsel

‎06-01-2004 07:17 AM

Many thanks for the info. RE VLAN's on PIX.

I am in the process of setting this up and was wondering if anybody knows if adding a virtual interface to the PIX will effect the connections currently established ?

Are there any implications to adding this interface to a 'live' unit ?

Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card