Routing with a Cisco Pix 515

I'm going to ask this here more for confirmation then as a general question but i've got a guy who swears that he should be able to do this.

The situation is basically this, there is a network with two firewalls on it (one is a cisco pix, the other is some wierd hardware VPN device i've never heard of).  the pix is the default gateway and everyone looks to it for internet access.  what they want to do is tell the pix to route anything for a remote network to the other hardware device, while routing everythign else straight to the internet (making the pix act like a router on its inside interface).  i'm pretty sure you cant do this but my questions are since its a 515 and not exactly a lower end pix, is it possible with this higher model and also, would upgrading the IOS to 7.0 give me the ability to route into and out of my inside interface like this.

Thanks,


LVL 1
onsite_techAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris StauntonCommented:
you can use the route command to route traffic anywhere you'd like....

remote network ip example  192.168.0.0 255.255.255.0
inside network ip example 10.0.0.0 255.0.0.0
ip address of funky VPN box  10.0.0.2

command in pix

route inside 192.168.0.0 255.255.255.0 10.0.0.2 1


Hope this helps :)

Chris
Ludovick LagrevolCommented:
i believe that in pix 6.x you can't really act as a router for your internal network, only for pix himself
pix 7.0 deal with ospf, RIP, static route, ...

you can turn around using windows server as router (include since w 2000) or level 3 switch

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris StauntonCommented:
My version 6.x does the above commands for routing inside the network.

Cheers,

Chris
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

nodiscoCommented:
hi there

A pix will not route traffic back out the same interface it originated from.  If you are using the PIX inside ip address as your gateway and the other firewall is also on the same subnet - then this will not work.

The pix can route traffic to its interfaces - as long as the traffic originated from a different interface than the destination.

V7.0 has some new functionality in this regard and may be able to offer you a workaround but I have not worked with it enough to recommend one way or the other.

hope this helps
calvinetterCommented:
>what they want to do is tell the pix to route anything for a remote network to the other hardware device,
>while routing everythign else straight to the internet

Lilshooter is correct you *can* accomplish this with a PIX, even with version 6.x.  Lilshooter's initial post shows you how to setup a static route.  Since your PIX is the default gateway for Internet access, this won't be affected by adding the static route.

ingetic: Yes, Lilshooter is correct that PIX 6.x also supports OSPF & RIP, as well as static routes.

cheers
nodiscoCommented:
Hey again

##################
Using Lilshooters example:
remote network ip example  192.168.0.0 255.255.255.0
inside network ip example 10.0.0.0 255.0.0.0
ip address of funky VPN box  10.0.0.2

command in pix

route inside 192.168.0.0 255.255.255.0 10.0.0.2
##################

If a client has an ip address of 10.0.0.x and is using the pix inside ip address as its default gateway (say, 10.0.0.1) then this will not work.  The traffic comes in on the inside interface and then is being "routed" back out the inside interface to the second firewall.  The pix will not route traffic back out the same interface it originated from.  

Pls advise if there is more to this than we are assuming as you getting conflicting opinions ;-)
Les MooreSr. Systems EngineerCommented:
I happen to agree with nodisco . . .
A PIX is not a router and will not send redirect packets to internal hosts to have them go back out a different local gateway.

Yes, you can add route statements to your heart's content and it is very necessary. The PIX does have to know how to route packets back to their originators, even if that path goes through another local gateway on the inside. This is basic routing packet in one interface, out the other on to the next hop. This is very different from "bouncing" the packet -nope, not this way - go back out *that* way. Pix simply does not act that way. Any other normal router will.
Ludovick LagrevolCommented:
that's why it's perhaps more easy to turn a windows server as router (include since w 2000) or level 3 switch.

rsivanandanCommented:
One more restate;

PIX WON'T route traffic for your internal traffic, that ain't possible be it 6.3 or 7.0

Hi Chris :-)

Cheers,
Rajesh
onsite_techAuthor Commented:
Thanks everyone for the input.  i wanted to verify with the new guy that i wasn't missing something obvious but it sounds like pretty much everyone here is in agreement.  I've always understood it to be that way.  The way my last manager put it, "If a Pix could route like that, you would never bother buying a router cause a pix is cheaper" and thats sort of been my rule of thumb since then.

Thanks all for your input!  We ended up getting the pix to do the vpn endpoint for this network and chucked the hardware device.  Everything works fine now and later on if we have to, we'll throw down a 2600 on the network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.