I tried this, in this case I can ping from console on PIX to 192.168.1.100, but I can't ping from desktop in LAN 192.168.4.0

I restarted PIX, clear xlate, but nothing help me.

show route show me:

route inside 192.168.1.0 255.255.255.0 192.168.4.100 other

I tried route inside 192.168.1.100 255.255.255.255 192.168.4.100 but nothing happend.

Do you have default route set to PIX IP address in both the hosts?

Thanks.

Hi,

I am afraid it is not possible to use the PIX this way. Traffic arriving at a PIX interface can not be forwarded back through the same interface.

This is explained in the PIX FAQ document here, in an answer to "Can I operate the PIX in a "one armed" configuration?":

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

If you have a vlan-capable switch, you can try setting up vlan interfaces on the PIX (PIX 501 won't work), one vlan for the first lan and another vlan for the router:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113437

HTH,

Mustafa

Thanks Mustafa. I concur with you 100%.

Regards.

Thank you for all. I believe that this help me.

Milan

Hi,

I have no experience with VLAN, can anybody help me?

that is my configuration on PIX, in this LAN I've Cisco Router 192.168.4.100:

PIX Version 6.3(3)133

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname xxx

domain-name xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service mail tcp

port-object eq pop3

port-object eq smtp

access-list outbound01 permit icmp any any

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq domain

access-list outbound01 permit udp 192.168.4.0 255.255.255.0 any eq domain

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq aol

access-list outbound01 permit tcp any any eq ssh

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq lotusnotes

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq www

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq https

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 3389

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq 2439

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq pop3

access-list outbound01 permit tcp 192.168.4.0 255.255.255.0 any eq smtp

access-list inbound01 permit icmp any any

access-list inbound01 deny ip any any

access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 192.168.4.96 255.255.255.248

access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.96 255.255.255.248

pager lines 24

logging on

logging standby

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 194.212.x.x 255.255.255.252

ip address inside 192.168.4.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.4.143 255.255.255.255 inside

pdm location 192.168.4.187 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.4.0 255.255.255.0 0 0

access-group inbound01 in interface outside

access-group outbound01 in interface inside

route outside 0.0.0.0 0.0.0.0 194.212.103.105 1

timeout xlate 3:00:00

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 80 set pfs group2

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.4.187 255.255.255.255 inside

telnet timeout 5

ssh 192.168.4.143 255.255.255.255 inside

ssh timeout 30

dhcpd address 192.168.4.129-192.168.4.254 inside

dhcpd dns 212.65.x.x212.65.x.x

dhcpd lease 43200

dhcpd ping_timeout 750

dhcpd domain xxx

dhcpd enable inside

Now things look doable to me. Are you saying your router has two IP addresses: 192.168.4.100 and 192.168.1.100?

If answer to the above is affirmative then simply point default route of internal hosts to the Cisco router (not the PIX) and point the router's default gateway to the PIX.

Does it make sense?

Hope this helps.