1. Home
  2. Cisco Systems
  3. Adding an additional route to a PIX 525?

Adding an additional route to a PIX 525?

I have a PIX 525 (172.16.1.181/16) that serves as the default gateway for a bunch of client machines. I also have a site-to-site VPN connected for access to a remote office, it's local IP is

172.16.1.188/16 and the remote end is 172.20.11.0/24.

What I would like to do is be able to add a static route on the PIX

525 to say that all traffic destined for 172.20.11.0/24 should be routed out via 172.16.1.188. I used this command on the PIX:

route inside 172.20.11.0 255.255.255.0 172.16.1.188

But, unfortunately, it didn't have the result that I wanted. It was successful in so far as it let the PIX 525 ping the PIX at the remote VPN, but it wasn't forwarding client requests for 172.20.11.0 that had their default gateway set to 172.16.1.181 (i.e. the 525). What am I missing here?

Thanks,

Chris

Reply to
Chris
Loading thread data ...

I believe we are in the same boat, or at least rowing next to each other. (-;

I think that as someone replied to my message, you also need to add the remote networks to the proper ACLs (Inbound/Outbound NAT, & Crypto ACLs) to allow it to pass traffic to/from the remote network. You have to be sure that the traffic is not NATed on either end too.

I'm pretty sure I have all of that in, though I'm missing something. I'm going one step further and have another subnet beyond the remote VPN subnet.

ScottI have a PIX 525 (172.16.1.181/16) that serves as the default gateway

Reply to
Scott Townsend

You can't do this on the Pix. You can't bounce packets off the inside interface and route them back inside the network to another host. I'm sure that Walter is sick of telling people this ;-)

Chris2.

Reply to
chris

Hello,

What you have to do is to define with ACL which traffic goes to the VPN (should be encrypted). PIX can't route packets throught the same port, so I presume that your VPN connection is made on your outside port.

As I've said earlier, check Cisco.com, you have a lot of cookbooks regarding this specific sceanario.

h.

Reply to
Havoc 25

What he is trying to do is have the Pix as the default gateway on

172.16.1.181 but then have that route traffic destined for the remote network back inside to a different gateway, 172.16.188 (doesn't say what that is). The pix won't 'route on a stick'.

Chris.

Reply to
chris

Is another name for this a "hairpin" connection? It seems unfortunate that I can't get this accomplished... :-( having to add 10 static routes to 100 client machines is a lot more work than adding one static route on a PIX!

Chris

Reply to
Chris

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.