Cisco PIX 515, (2) SOHO3's. Routing issue between Datacenter and Office through VPN

Have one that has me stumped.  Hopefully someone can help with the missing piece.
2 networks everything has been working flawlessly.  One is at a data center with email, web servers and such, and the other is at an office.  
Wanted to connect the 2 networks with a VPN.  Deployed a SOHO3 at each end and configured the VPN.  The tunnel is up and working.  The office is on a and the colo is on a  I created a simplified network diagram to depict the configuration.  See attachment.  
Below are a few fact that should answer most questions as to where we are at this point.  
1. WS1 can ping the PIX at (PIX can also ping WS1 at
2. WS1 can NOT ping DC1 at
3. DC1 can NOT ping WS1 (of course)
Have a route entry in the PIX
route DMZ1 1 (this is working or the PIX wouldn't be able to reach WS1).
So the PIX is using that route when it pings out, but it's like it isn't using it for the packets it receives from DC1.  
Any idea what I'm missing here?

Who is Participating?
lrmooreConnect With a Mentor Commented:
Yes, the PIX needs the static route in order to know how to return packets (like icmp), or to route packets back to an internal client.
By design, it cannot, however, redirect a packet that comes in on the inside interface that is destined for a network that it cannot route out one of its other interfaces. In other words, "bounce" it back to another internal router. Remember that it was designed from ground up to be a secure firewall and it does not behave like a router.
It is not a PIX acl issue, it is a well known design issue of the PIX.
If you had any internal router, you could use that as a "router on a stick" using it as the default gateway and letting it route either to the PIX or to the SOHO.
chek the firewall on DC1 , disable windows firewall and try
On the DC, add a static route
C:\>route add -p mask


>So the PIX is using that route when it pings out, but it's like it isn't using it for the packets it receives from DC1.
>Any idea what I'm missing here?
It is working as designed. The pix simply will not "bounce" a packet back out the same interface it came in on to another router. It is up to the sending host to know which gateway to send that packet to, hence the static route.
sdschaeferAuthor Commented:
Thanks for the responses.  

devanqshroff: No firewall enabled on DC1.  There are several servers and other appliances on the 100.0 network and they can all ping each other fine.  

irmoore: I know that a static route would get that one server working through the VPN, but that doesn't help with all the other equipment on the 100.0 network.  Some of the other appliances don't allow for the entry of static route.  That is what the default gateway (router) is for right?

Bottom line.  Why is the PIX not routing (accept for itself) a packet destined for the to 100.2?  From within the PIX when you ping (or any other device on the 1.0 network) it works perfectly.  The PIX would have no way of knowing where to route the 1.0 network without the static route that it now has.  So that part has to be correct.
So DC1 has 100.1 as it's default gateway.  When you attempt to ping from DC1 it is going to send the packet to the PIX correct?  
-We have all kinds of this type of routing in place on the WAN side at the data center.  The only difference I can think of is that the 100.0 network is using NAT.  
-Thought maybe this was an issue of an ACL in the PIX, so I created a "permit IP any any" and bound it to "in" on the DMZ1 interface.  NOTE: the reason I think it could be an ACL issue, is that I have never had any ACL on the DMZ1 I/F.  
I really appreciate you all's help in this matter.  This is the first question I have ever posted.  I may need to simplifiy it as a Cisco PIX ACL question and re-post.

sdschaeferAuthor Commented:
Thanks for the update.  I have been working on this issue all day.  And now I'm seeing you are right on.   The problem is the PIX doesn't want to route (Bounce) out  the same I/F (a packet just came in on) to another router (the SOHO)  on the same network.   After reviewing the syslog server I found the following message.  
%PIX-7-106011: Deny inbound (No xlate) icmp src dmz1: dst dmz1: (type 8, code 0)
This occurs when DC1 tries to ping WS1.   Quite clearly the PIX is denying the transition.  Wierd that the PIX will ping with no problem to any device on the 100.0 or the 1.0 but won't allow hosts behind it to do the same thing.
The network currently located at the colo was at one time all at the office location.  Because of that the only I/F's we are using on the PIX is the Outside & one of the DMZ's.  The office lan used to be on the inside I/F.  I might be able to reconfigure that setup and make the inside I/F do the trick.  
But you are correct the easiet thing to do is to put a router (the new 100.0 gateway) between the 100.0 hosts and the PIX/SOHO.

All Courses

From novice to tech pro — start learning today.