Route in/out same interface on PIX

rate · ‎06-20-2005

Hi,

I was recently told that it is not possible to route traffic coming in via e.g. Eth1 out of Eth1 again to another router for example.

I'm not convinced though, and was wondering if any of you know of a way to do it? It is some special command, a question of rules or simply the need for a firmware update?

Thanks in advance,

Rasmus

sachinraja · ‎06-20-2005

Hello Rasmus

You are right... icmp redirects arent possible with PIX.. this is feature specific and does not depend on any commands or hardware...

try putting a router before/after pix and do redirection on router instead of pix...

just have a look at this pix faq document..

HTH

Raj

s309973 · ‎06-27-2005

I had the same need a little over a year ago and I opened a TAC case to ask if there were any "undocumented commands" to get the PIX to route packets in/out, for my particular SOHO need. I was advised it was NOT possible. I had to put a router just before the PIX, as has been mentioned in this thread.

timothy.arnold · ‎06-27-2005

Routing packets in/out of the same interface is known as hair-pinning. This is not supported in 6.x or previous versions, but you can enable it on PIX 7.x

HTH

rate · ‎06-27-2005

Really? That sounds great. Actually I think it weird they didn't implement it in earlier versions - a lot of other firewalls can do it.

Is it easy to configure, or is it rocket science?

a.alekseev · ‎06-28-2005

You can enable hair-pinning ONLY for VPN....

sunilc · ‎07-01-2005

Intra-interface firewalling is possible on both FWSM 2.3 amd PIX 7.0 using the 'same-security-traffic permit intra-interface' command.

On the FWSM this can be for any traffic. However on the PIX I beleive this is allowed only for IPSec traffic - VPN Hub-Spoke scenario to allow for spoke-spoke communication after firewalling on same interface.