Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
6
Replies

PIX and inside subnets

edp_cisco
Level 1
Level 1

‎04-11-2011 07:32 AM - edited ‎03-06-2019 04:33 PM

Hi to all,

  I Know that this question was discussed many times, but I didn't find a clear answer and I still can't find any solutions to my issue.

Net_4_support.jpg

I've recently added a second subnet (192.168.2.0/24 in diagram) to the inside interface of my PIX that can be reached throw Router1.

All hosts in the LAN1 have the pix as a gateway.

If I try to ping from Host1 to Host2 it fails because the pix doesn't forward the packet to the Router1.

Pix receives correctly the request, but doesn't forward it to Router1

I also add a static route in the pix telling that subnet 192.168.2.x is accessible throw Router1 but change only the error i see in the pix log.

My question is : There is a way to tell to pix to forward the requests to Router1?

I would not change the default gateway of the LAN1 host because I've a failover pix configuration that assure high availability and I don't want to loose this feature. And I'd like to be able to specify access-list for clients in Lan1 that can access to Lan2.

Many thanks to all,

Francesco.

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎04-11-2011 07:46 AM 

edp_cisco wrote:
Hi to all,
  I Know that this question was discussed many times, but I didn't find a clear answer and I still can't find any solutions to my issue.
I've recently added a second subnet (192.168.2.0/24 in diagram) to the inside interface of my PIX that can be reached throw Router1.
All hosts in the LAN1 have the pix as a gateway.
If I try to ping from Host1 to Host2 it fails because the pix doesn't forward the packet to the Router1.
Pix receives correctly the request, but doesn't forward it to Router1
I also add a static route in the pix telling that subnet 192.168.2.x is accessible throw Router1 but change only the error i see in the pix log.
My question is : There is a way to tell to pix to forward the requests to Router1?
I would not change the default gateway of the LAN1 host because I've a failover pix configuration that assure high availability and I don't want to loose this feature. And I'd like to be able to specify access-list for clients in Lan1 that can access to Lan2.
Many thanks to all,
Francesco.

It's a security feature that the PIX does not perform IP redirects. To correct you will need to change the default gateway on the clients to the router. Your other option is to remove the router and use the PIX for inter-subnet routing.

0 Helpful

edp_cisco
Level 1
Level 1
In response to Collin Clark

‎04-11-2011 08:10 AM

Thank you very much Collin,

  Can you explain me your second option? Or give me a link where that configuration is explained?

I'll be exposed to security issues if I choose to implement this option?

Many thanks,

F.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to edp_cisco

‎04-11-2011 08:17 AM

Today the PIX is your default gateway for the 192.168.1.0 network. You would use another interface on the PIX for the gateway to the 192.168.2.0 network. Routing between the subnets is controlled by the PIX (which sound like you want between the hosts 1 & 2). See below for a crude example.

0 Helpful

edp_cisco
Level 1
Level 1
In response to Collin Clark

‎04-12-2011 01:55 AM

Ah, ok. I didn't understand.

It's clear.

Something about using Vlan?

Or can ospf help in some way?

Thank you.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to edp_cisco

‎04-12-2011 04:30 AM

Maurizio

Do you have a spare interface on your pix ?

If not you would need to use subinterfaces on your pix or simply redirect traffic back out of the same interface. If you choose to redirect traffic back out of the same interface then that depends on your pix model and IOS you are running.

Can you specify what pix model you have and what version of software it is running. Plus do you have any spare interfaces on the pix.

Note that you can still limit access with access-lists if you used the router as the default-gateway for both LANs but i understand what you are saying about redundancy. If you did move LAN2 to the pix then as Collin said, your router is not needed.

Finally, what switch are you using  for your LAN connectivity - can it do 802.1q trunking ?

Jon

0 Helpful

edp_cisco
Level 1
Level 1
In response to Jon Marshall

‎04-12-2011 06:20 AM

Hi Jon,

  Thanks for your interest.

I have an old pix:

"show version" reports:

Cisco PIX Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

I've also 3 additional interface that I can use as Collin suggests.

Switches are D-Link DGS-3324SR. I think they support 802.1q.

I'think that using a dedicated interface is the best solution for me even if it is not fully scalable.

I'm asking for others solution only for completeness.

Many thanks,

F.

0 Helpful
Customers Also Viewed These Support Documents