Adding an additional route to a PIX 525?

Prev: email notification for unreachable switch
Next: inter-vlan routing on switch 3560 SMI?

From: Chris on 6 Mar 2007 08:32

---

I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
for a bunch of client machines. I also have a site-to-site VPN
connected for access to a remote office, it's local IP is
172.16.1.188/16 and the remote end is 172.20.11.0/24.

What I would like to do is be able to add a static route on the PIX
525 to say that all traffic destined for 172.20.11.0/24 should be
routed out via 172.16.1.188. I used this command on the PIX:

route inside 172.20.11.0 255.255.255.0 172.16.1.188

But, unfortunately, it didn't have the result that I wanted. It was
successful in so far as it let the PIX 525 ping the PIX at the remote
VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
their default gateway set to 172.16.1.181 (i.e. the 525). What am I
missing here?

Thanks,


Chris

From: Scott Townsend on 6 Mar 2007 09:26

---

I believe we are in the same boat, or at least rowing next to each other.
(-;

I think that as someone replied to my message, you also need to add the
remote networks to the proper ACLs (Inbound/Outbound NAT, & Crypto ACLs) to
allow it to pass traffic to/from the remote network. You have to be sure
that the traffic is not NATed on either end too.

I'm pretty sure I have all of that in, though I'm missing something. I'm
going one step further and have another subnet beyond the remote VPN subnet.

Scott<-

"Chris" <chriswaltham(a)gmail.com> wrote in message
news:1173187958.927419.203810(a)64g2000cwx.googlegroups.com...
>I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
> for a bunch of client machines. I also have a site-to-site VPN
> connected for access to a remote office, it's local IP is
> 172.16.1.188/16 and the remote end is 172.20.11.0/24.
>
> What I would like to do is be able to add a static route on the PIX
> 525 to say that all traffic destined for 172.20.11.0/24 should be
> routed out via 172.16.1.188. I used this command on the PIX:
>
> route inside 172.20.11.0 255.255.255.0 172.16.1.188
>
> But, unfortunately, it didn't have the result that I wanted. It was
> successful in so far as it let the PIX 525 ping the PIX at the remote
> VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
> their default gateway set to 172.16.1.181 (i.e. the 525). What am I
> missing here?
>
> Thanks,
>
>
> Chris
>

From: chris on 6 Mar 2007 13:29

---

"Chris" <chriswaltham(a)gmail.com> wrote in message
news:1173187958.927419.203810(a)64g2000cwx.googlegroups.com...
>I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
> for a bunch of client machines. I also have a site-to-site VPN
> connected for access to a remote office, it's local IP is
> 172.16.1.188/16 and the remote end is 172.20.11.0/24.
>
> What I would like to do is be able to add a static route on the PIX
> 525 to say that all traffic destined for 172.20.11.0/24 should be
> routed out via 172.16.1.188. I used this command on the PIX:
>
> route inside 172.20.11.0 255.255.255.0 172.16.1.188
>
> But, unfortunately, it didn't have the result that I wanted. It was
> successful in so far as it let the PIX 525 ping the PIX at the remote
> VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
> their default gateway set to 172.16.1.181 (i.e. the 525). What am I
> missing here?
>
> Thanks,
>
>
> Chris
>

You can't do this on the Pix. You can't bounce packets off the inside
interface and route them back inside the network to another host. I'm sure
that Walter is sick of telling people this ;-)

Chris2.

From: Havoc 25 on 6 Mar 2007 13:40

---

Hello,

What you have to do is to define with ACL which traffic goes to the VPN
(should be encrypted). PIX can't route packets throught the same port, so I
presume that your VPN connection is made on your outside port.

As I've said earlier, check Cisco.com, you have a lot of cookbooks regarding
this specific sceanario.

h.


"chris" <mandrake440(a)nospam.hotmailDOTcom> wrote in message
news:pNadnUG1LpklL3DYRVnyjwA(a)eclipse.net.uk...
>
> "Chris" <chriswaltham(a)gmail.com> wrote in message
> news:1173187958.927419.203810(a)64g2000cwx.googlegroups.com...
>>I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
>> for a bunch of client machines. I also have a site-to-site VPN
>> connected for access to a remote office, it's local IP is
>> 172.16.1.188/16 and the remote end is 172.20.11.0/24.
>>
>> What I would like to do is be able to add a static route on the PIX
>> 525 to say that all traffic destined for 172.20.11.0/24 should be
>> routed out via 172.16.1.188. I used this command on the PIX:
>>
>> route inside 172.20.11.0 255.255.255.0 172.16.1.188
>>
>> But, unfortunately, it didn't have the result that I wanted. It was
>> successful in so far as it let the PIX 525 ping the PIX at the remote
>> VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
>> their default gateway set to 172.16.1.181 (i.e. the 525). What am I
>> missing here?
>>
>> Thanks,
>>
>>
>> Chris
>>
>
> You can't do this on the Pix. You can't bounce packets off the inside
> interface and route them back inside the network to another host. I'm sure
> that Walter is sick of telling people this ;-)
>
> Chris2.
>

From: chris on 6 Mar 2007 13:57

---

"Havoc 25" <havoc25(a)gmail.com> wrote in message
news:eskcih$d1i$1(a)ss408.t-com.hr...
> Hello,
>
> What you have to do is to define with ACL which traffic goes to the VPN
> (should be encrypted). PIX can't route packets throught the same port, so
> I presume that your VPN connection is made on your outside port.

What he is trying to do is have the Pix as the default gateway on
172.16.1.181 but then have that route traffic destined for the remote
network back inside to a different gateway, 172.16.188 (doesn't say what
that is). The pix won't 'route on a stick'.

Chris.





>
> "chris" <mandrake440(a)nospam.hotmailDOTcom> wrote in message
> news:pNadnUG1LpklL3DYRVnyjwA(a)eclipse.net.uk...
>>
>> "Chris" <chriswaltham(a)gmail.com> wrote in message
>> news:1173187958.927419.203810(a)64g2000cwx.googlegroups.com...
>>>I have a PIX 525 (172.16.1.181/16) that serves as the default gateway
>>> for a bunch of client machines. I also have a site-to-site VPN
>>> connected for access to a remote office, it's local IP is
>>> 172.16.1.188/16 and the remote end is 172.20.11.0/24.
>>>
>>> What I would like to do is be able to add a static route on the PIX
>>> 525 to say that all traffic destined for 172.20.11.0/24 should be
>>> routed out via 172.16.1.188. I used this command on the PIX:
>>>
>>> route inside 172.20.11.0 255.255.255.0 172.16.1.188
>>>
>>> But, unfortunately, it didn't have the result that I wanted. It was
>>> successful in so far as it let the PIX 525 ping the PIX at the remote
>>> VPN, but it wasn't forwarding client requests for 172.20.11.0 that had
>>> their default gateway set to 172.16.1.181 (i.e. the 525). What am I
>>> missing here?
>>>
>>> Thanks,
>>>
>>>
>>> Chris
>>>
>>
>> You can't do this on the Pix. You can't bounce packets off the inside
>> interface and route them back inside the network to another host. I'm
>> sure that Walter is sick of telling people this ;-)
>>
>> Chris2.
>>
>
>

 |  Next  |  Last
Pages: 1 2
Prev: email notification for unreachable switch
Next: inter-vlan routing on switch 3560 SMI?