PIX Inside Command - NEED HELP!

In article , wrote: [PIX 501]

No, there is no way to do that on a PIX 501 without adding additional hardware.

PIX 6.x is designed so that a packet that comes in to a [logical] interface will *never* be sent back out the same [logical] interface. PIX 7.0 and PIX 7.1 are designed the same way, but those allow an exception if one of the traffic directions involves a VPN. And PIX 7 does not run on the PIX 501.

You should reconfigure your clients to add a route to 192.168.0.0 via 192.168.3.2 as well as the default route (0.0.0.0 0.0.0.0) via the PIX.

There are work-around configurations that apply in some circumstances for all -other- PIX 5xx models running PIX 6.3 or later (PIX 6.3(2) for the 506), but none of those work-arounds are possible on the PIX 501. I have described the work-arounds several times on comp.dcom.sys.cisco .

Sorry to be a pain but could you give me links to the relevent posts regarding workarounds?

Many Thanks for your help!

The short summary:

a) add hardware, e.g. a router or another PIX or a Cisco ASA 5500

b) add physical interfaces to your PIX, and subnet IP space if need be

c) use an 802.1Q VLAN aware switch and a PIX that supports 802.1Q VLANs (i.e., any PIX 5xx with sufficiently new software except the 501 or 510), and subnet your IP space if need be

d) use PIX 7.x software and have one of the links be within a VPN and use the magic command to enable this case; at present this requires a PIX 515, 515E, 525, or 535.

But you can't add physical interfaces to a PIX 501, and the PIX 501 does not support VLANs and does not support 7.x software, so your only option is to change PIXes or to add another device.

Thanks for your responses! Been a learning curve.