03-15-2011 06:31 AM - edited 03-11-2019 01:07 PM
Hi gurus,
I am having trouble with routing in PIX501
I have one Pix 501 and one Cisco router
Cisco Router is configured for IPSEC VPN ( LAN interface 172.19.194.1) and PIX is configured for access the internet.
Default gateway of Pcs in LAN are PIX inside interface ( 172.19.194.2) but people are unable to access to corporate network but can access the internet.
Below is the route command configured on the PIX.
route inside 172.19.206.0 255.255.255.0 172.19.194.1 1
If i set default gateway to Cisco router LAN interface ( 172.19.194.1)then i can access to corporate network.
Purpose is to pass the internet traffic using PIX 501 and corporate network traffic using Cisco router.
Can any one help me in this regards
I have attached the diagram for the network
Thanks
03-15-2011 06:58 AM
Hello Imran,
If i get the requirement right,you need to access internet using PIX(.2) as the gateway and while accessing corporate network, i.e. over the IPSec tunnel using router(.1) as gateway.
One option is to set routes on work station for corp network. For e.g. for a windows machine, say ur corp network is 10.0.0.0/8 network, then add
route -add
For more help, refer : http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true
This option is feasible in small work/home environment.
Other option is to use PIX in the network alone, and utilize another interface to terminate VPN and do routing on PIX.
One more option, will cost an extra device, add router in the network before both the gateways and do Policy Based Routing.
Hope this helps. Please reply back if you need any further assistance.
Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
03-15-2011 07:23 AM
Dear Saxena,
Thanks for your reply and you understand correctly about my understandings
I understand option number one but it is not feasible i think.
But i want to know why i cannot use PIX as a routing device in this case as i used now.
Actually i have two different Internet connections ( i want to utilise one for IPSEC and second for internet browsing).
Terminating VPN on pix is not attractive for me .
If i add another router, still i need to have policy based routing or simple routing will be enough.
Looking for your support
Regards
03-15-2011 07:43 AM
Hi Imran,
Yes, option is not a very scalable solution.
Well, i guess you are right. We can use PIX as the gatway for all traffic and u turn traffic for corporate network to the router. We might have to check possiblity of Assymerteric routing for the return traffic.
1) PIX will be gateway for all
2) route inside -> router for corp network
3) tcp state bypass will be required on the firewall
4) UDP traffic will get dropped due to assymeteric routing, so we will require a local DNS server
Another option is to utilize 2 ISPs on the PIX on 2 different interfaces. Configure 2 interfaces say out1 & out2 at security level 0. One will be for internet and other will be for IPSec tunnel.
Hope this helps. Please reply back if you need any further assistance.
Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
03-15-2011 08:56 PM
Dear Saxena,
Thank you for your reply and support.
I think my firewall PIX 501 does not support tcp state bypass configuration
your second option is also difficult to opt as i have only two interfaces of cisco PIX 501 ( inside and outside)
What about if you use Layer 3 switch
Any other option to stream line routing.
Lokking forward for your support.
Regards
03-15-2011 09:41 PM
Yes on a layer 3 switch you can do routing for internet & corp network. This will help.
Regards,
Chirag
03-15-2011 10:29 PM
Thanks Again,
It seems that i do not have any Layer 3 switch in inventory now.
Can i set it up using router 1900 series with two ethernet interfaces.
Making three vlans and then inter vlan routing.
Please suggest.
Thanks
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide