03-12-2005 02:55 AM - edited 02-21-2020 12:00 AM
Hi,
I've LAN 192.168.4.0/24 with PIX /192.168.4.1/ which users has set as gateway and with Cisco805 /192.168.4.100/. And I've LAN 192.168.1.0 with Cisco805 /192.168.1.100/. I need on PIX set static route for LAN 192.168.1.0 where gw will be set 192.168.4.100.
In Windows desktop in LAN 192.168.4.0 I use:
route add 192.168.1.0 mask 255.255.255.0 192.168.4.100, can I set something like this on the PIX?
Thanx, Milan
03-12-2005 03:43 AM
You can use the following command:
route inside 192.168.1.0 255.255.255.0 192.168.4.100
HTH.
03-12-2005 05:00 AM
I tried this, in this case I can ping from console on PIX to 192.168.1.100, but I can't ping from desktop in LAN 192.168.4.0
I restarted PIX, clear xlate, but nothing help me.
show route show me:
route inside 192.168.1.0 255.255.255.0 192.168.4.100 other
I tried route inside 192.168.1.100 255.255.255.255 192.168.4.100 but nothing happend.
03-12-2005 04:45 PM
Do you have default route set to PIX IP address in both the hosts?
Thanks.
03-12-2005 06:35 PM
Hi,
I am afraid it is not possible to use the PIX this way. Traffic arriving at a PIX interface can not be forwarded back through the same interface.
This is explained in the PIX FAQ document here, in an answer to "Can I operate the PIX in a "one armed" configuration?":
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
If you have a vlan-capable switch, you can try setting up vlan interfaces on the PIX (PIX 501 won't work), one vlan for the first lan and another vlan for the router:
HTH,
Mustafa
03-13-2005 07:08 AM
Thanks Mustafa. I concur with you 100%.
Regards.
03-13-2005 10:41 PM
Thank you for all. I believe that this help me.
Milan
03-14-2005 12:02 AM
Hi,
I have no experience with VLAN, can anybody help me?
that is my configuration on PIX, in this LAN I've Cisco Router 192.168.4.100:
PIX Version 6.3(3)133
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxx
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service mail tcp
port-object eq pop3
port-object eq smtp
access-list outbound01 permit icmp any any
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq domain
access-list outbound01 permit udp 192.168.4.0 255.255.255.0 any eq domain
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq aol
access-list outbound01 permit tcp any any eq ssh
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq lotusnotes
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq www
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq https
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 3389
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 2439
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq pop3
access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq smtp
access-list inbound01 permit icmp any any
access-list inbound01 deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.248
access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.96 255.255.255.248
pager lines 24
logging on
logging standby
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside 194.212.x.x 255.255.255.252
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.4.143 255.255.255.255 inside
pdm location 192.168.4.187 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
access-group inbound01 in interface outside
access-group outbound01 in interface inside
route outside 0.0.0.0 0.0.0.0 194.212.103.105 1
timeout xlate 3:00:00
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set pfs group2
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.4.187 255.255.255.255 inside
telnet timeout 5
ssh 192.168.4.143 255.255.255.255 inside
ssh timeout 30
dhcpd address 192.168.4.129-192.168.4.254 inside
dhcpd dns 212.65.x.x212.65.x.x
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxx
dhcpd enable inside
03-14-2005 04:39 AM
Now things look doable to me. Are you saying your router has two IP addresses: 192.168.4.100 and 192.168.1.100?
If answer to the above is affirmative then simply point default route of internal hosts to the Cisco router (not the PIX) and point the router's default gateway to the PIX.
Does it make sense?
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide