Improve company productivity with a Business Account.Sign Up


Cisco PIX 515, (2) SOHO3's. Routing issue between Datacenter and Office through VPN

Posted on 2008-10-03
Medium Priority
Last Modified: 2012-05-05
Have one that has me stumped.  Hopefully someone can help with the missing piece.
2 networks everything has been working flawlessly.  One is at a data center with email, web servers and such, and the other is at an office.  
Wanted to connect the 2 networks with a VPN.  Deployed a SOHO3 at each end and configured the VPN.  The tunnel is up and working.  The office is on a and the colo is on a  I created a simplified network diagram to depict the configuration.  See attachment.  
Below are a few fact that should answer most questions as to where we are at this point.  
1. WS1 can ping the PIX at (PIX can also ping WS1 at
2. WS1 can NOT ping DC1 at
3. DC1 can NOT ping WS1 (of course)
Have a route entry in the PIX
route DMZ1 1 (this is working or the PIX wouldn't be able to reach WS1).
So the PIX is using that route when it pings out, but it's like it isn't using it for the packets it receives from DC1.  
Any idea what I'm missing here?

Question by:sdschaefer
  • 2
  • 2

Expert Comment

ID: 22640019
chek the firewall on DC1 , disable windows firewall and try
LVL 79

Expert Comment

ID: 22640546
On the DC, add a static route
C:\>route add -p mask


>So the PIX is using that route when it pings out, but it's like it isn't using it for the packets it receives from DC1.
>Any idea what I'm missing here?
It is working as designed. The pix simply will not "bounce" a packet back out the same interface it came in on to another router. It is up to the sending host to know which gateway to send that packet to, hence the static route.

Author Comment

ID: 22640994
Thanks for the responses.  

devanqshroff: No firewall enabled on DC1.  There are several servers and other appliances on the 100.0 network and they can all ping each other fine.  

irmoore: I know that a static route would get that one server working through the VPN, but that doesn't help with all the other equipment on the 100.0 network.  Some of the other appliances don't allow for the entry of static route.  That is what the default gateway (router) is for right?

Bottom line.  Why is the PIX not routing (accept for itself) a packet destined for the to 100.2?  From within the PIX when you ping (or any other device on the 1.0 network) it works perfectly.  The PIX would have no way of knowing where to route the 1.0 network without the static route that it now has.  So that part has to be correct.
So DC1 has 100.1 as it's default gateway.  When you attempt to ping from DC1 it is going to send the packet to the PIX correct?  
-We have all kinds of this type of routing in place on the WAN side at the data center.  The only difference I can think of is that the 100.0 network is using NAT.  
-Thought maybe this was an issue of an ACL in the PIX, so I created a "permit IP any any" and bound it to "in" on the DMZ1 interface.  NOTE: the reason I think it could be an ACL issue, is that I have never had any ACL on the DMZ1 I/F.  
I really appreciate you all's help in this matter.  This is the first question I have ever posted.  I may need to simplifiy it as a Cisco PIX ACL question and re-post.

LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 22641294
Yes, the PIX needs the static route in order to know how to return packets (like icmp), or to route packets back to an internal client.
By design, it cannot, however, redirect a packet that comes in on the inside interface that is destined for a network that it cannot route out one of its other interfaces. In other words, "bounce" it back to another internal router. Remember that it was designed from ground up to be a secure firewall and it does not behave like a router.
It is not a PIX acl issue, it is a well known design issue of the PIX.
If you had any internal router, you could use that as a "router on a stick" using it as the default gateway and letting it route either to the PIX or to the SOHO.

Author Comment

ID: 22641790
Thanks for the update.  I have been working on this issue all day.  And now I'm seeing you are right on.   The problem is the PIX doesn't want to route (Bounce) out  the same I/F (a packet just came in on) to another router (the SOHO)  on the same network.   After reviewing the syslog server I found the following message.  
%PIX-7-106011: Deny inbound (No xlate) icmp src dmz1: dst dmz1: (type 8, code 0)
This occurs when DC1 tries to ping WS1.   Quite clearly the PIX is denying the transition.  Wierd that the PIX will ping with no problem to any device on the 100.0 or the 1.0 but won't allow hosts behind it to do the same thing.
The network currently located at the colo was at one time all at the office location.  Because of that the only I/F's we are using on the PIX is the Outside & one of the DMZ's.  The office lan used to be on the inside I/F.  I might be able to reconfigure that setup and make the inside I/F do the trick.  
But you are correct the easiet thing to do is to put a router (the new 100.0 gateway) between the 100.0 hosts and the PIX/SOHO.


Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
In short, I will be giving a guide on how to install UNMS on a virtual machine in hyper-v and change the default port for security (you don’t need to have a server, since Windows 10 supports hyper-v)
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question