1. Home
  2. Cisco Systems
  3. PIX 506E Routing from Inside Interface network To outside interface network

PIX 506E Routing from Inside Interface network To outside interface network

I have a PIX 506E in which I want to route from a device on the inside interface subnet to a device on the outside interface subnet. Here is an example of what i want to do:

192.168.1.5 --> Computer on 192.168.1.0/24 network 192.168.1.1 --> IP address of inside interface on PIX

192.168.1.5 uses 192.168.1.1 as default GW

------------------------------­------------------------------­-----

192.168.2.5 --> Computer on 192.168.2.0/24 network 192.168.2.1 --> IP address of the outside interface on PIX

192.168.2.5 uses 192.168.2.1 as their gateway

I want to be able to communicate between subnets using the PIX as a router. Basically I want 192.168.1.5 to be able to talk to 192.168.2.5

and vice versa.

Can someone please tell me if this is possible, and if it is, what would the routing statements on the pix look like?

Reply to
marti314
Loading thread data ...

In article , marti314 wrote: :I have a PIX 506E in which I want to route from a device on the inside :interface subnet to a device on the outside interface subnet. Here is :an example of what i want to do:

:192.168.1.5 --> Computer on 192.168.1.0/24 network :192.168.1.1 --> IP address of inside interface on PIX :192.168.1.5 uses 192.168.1.1 as default GW

:192.168.2.5 --> Computer on 192.168.2.0/24 network :192.168.2.1 --> IP address of the outside interface on PIX :192.168.2.5 uses 192.168.2.1 as their gateway

:I want to be able to communicate between subnets using the PIX as a :router.

That isn't possible.

: Basically I want 192.168.1.5 to be able to talk to 192.168.2.5 :and vice versa.

:Can someone please tell me if this is possible,

No. There is no way to turn off Adaptive Security in PIX 5.x or PIX 6.x, so the closest you can get is to allow connections in both directions.

What's the difference? Well, suppose that 192.168.2.5 had a TCP connection open with 192.168.1.5, and that the connection was closed. Suppose

192.168.2.5 then tried to send further TCP packets to that port (e.g., a "half-closed" situation.) Then if the PIX was acting as a router, it would go ahead and pass on the packets, and 192.168.1.5 would do whatever it wanted with them (e.g., throw them away.) However, because you cannot turn off the Adaptive Security Algorithm, the PIX is going to discard those packets instead of routing them.

You can use the PIX to have regular normal connections between the two sides, but you can't have the PIX act as a router in the normal sense of the word.

:and if it is, what :would the routing statements on the pix look like?

static (inside,outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

access-list out2in permit ip host 192.168.2.5 host 192.168.1.5 access-group out2in in interface outside

Notice the lack of 'route' statements. You do not need any 'route' statements on the PIX for communications between the IP range of the inside and outside interfaces.

You *might* need to put a route statement into the WAN router, but probably not, as the PIX will proxy ARP 192.168.1.5 when configured as above.

Note: you wouldn't -usually- configure in this way. -Usually- you would configure something more like

static (inside,outside) 192.168.2.4 192.168.1.5 netmask 255.255.255.255 access-list out2in permit ip host 192.168.2.5 host 192.168.2.4 access-group out2in in interface outside

In this configuration, 192.168.2.5 asks to talk to 192.168.2.4 and the PIX internally converts the destination to 192.168.1.5 .

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.