PIX firewall

We have a cisco router that has a public IP address on the outside interface.  the inside interface needs to pass traffic to a Cisco PIX firewall maintained by the customer.

The customer wants to us our network as a second route to the Internet by assigning IP address that connects to our Cisco router.

Their PIX has a primary Internet connection via another provider.
We can get to the Internet via our router, however, the PIX is not passing traffic to and from the customer PIX.

Does anyone have the necessary configs?  Is this a NAT issue?  If this is a NAT issue, can anyone provide me with the proper configs?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I believe the problem may be that the Pix does not allow packets to route back out the same interface they are received on (security feature).  If the client's default gateway is the Pix, then the Pix will not be able to send the packets back into the network to find another gateway.  You would need to use another routing device on the inside of the network to route in either direction.
wwtruebtvAuthor Commented:
TNL Engr

Thank you for your reply.  The client has a Cisco engineer who said that he should be able to this.

I believed what you said as the issue, but was shot down by the customer.

It worked once before but we gave them a public IP for their PIX which we are not willing to do.

Am I hearing you make the suggestion that they add a Cisco router as the PIX gateway for their Interface and point it to our router?

thank you for your respone
post your Pix config.
If I understand your network properly, one way of doing it would be to place a router inside the network which would route to either the customer's Pix or to your router.  Use the new router as the default gateway for their clients, and assign the two routes to the Internet.  Of course, you could simply use your Cisco router as the default gateway, but then their traffic would try to exit via your Internet connection first, instead of as a backup.

I don't know if there is any way to bypass this particular feature of the Pix firewall.  Hopefully, someone else will respond if it is possible.  I recently changed over the majority of my clients with Pix's to Cisco ASAs.  I know you can set the ASA to allow traffic back out of the same interface since a couple of customers have requested it.

Hope this helps.
I'm backing up the statement from TNL_Engr.    The PIX will not route back into the same interface.   The Cisco ASA's can do this with subinterfaces, but not the pix.   You will need another device to do the routing.    

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.