PIX firewall

We have a cisco router that has a public IP address on the outside interface.  the inside interface needs to pass traffic to a Cisco PIX firewall maintained by the customer.

The customer wants to us our network as a second route to the Internet by assigning IP address that connects to our Cisco router.

Their PIX has a primary Internet connection via another provider.
We can get to the Internet via our router, however, the PIX is not passing traffic to and from the customer PIX.

Does anyone have the necessary configs?  Is this a NAT issue?  If this is a NAT issue, can anyone provide me with the proper configs?
wwtruebtvAsked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:
I'm backing up the statement from TNL_Engr.    The PIX will not route back into the same interface.   The Cisco ASA's can do this with subinterfaces, but not the pix.   You will need another device to do the routing.    
0
 
TNL_EngrConnect With a Mentor Commented:
wwtreebtv,

I believe the problem may be that the Pix does not allow packets to route back out the same interface they are received on (security feature).  If the client's default gateway is the Pix, then the Pix will not be able to send the packets back into the network to find another gateway.  You would need to use another routing device on the inside of the network to route in either direction.
0
 
wwtruebtvAuthor Commented:
TNL Engr

Thank you for your reply.  The client has a Cisco engineer who said that he should be able to this.

I believed what you said as the issue, but was shot down by the customer.

It worked once before but we gave them a public IP for their PIX which we are not willing to do.

Am I hearing you make the suggestion that they add a Cisco router as the PIX gateway for their Interface and point it to our router?

thank you for your respone
0
 
KutyiCommented:
post your Pix config.
0
 
TNL_EngrCommented:
If I understand your network properly, one way of doing it would be to place a router inside the network which would route to either the customer's Pix or to your router.  Use the new router as the default gateway for their clients, and assign the two routes to the Internet.  Of course, you could simply use your Cisco router as the default gateway, but then their traffic would try to exit via your Internet connection first, instead of as a backup.

I don't know if there is any way to bypass this particular feature of the Pix firewall.  Hopefully, someone else will respond if it is possible.  I recently changed over the majority of my clients with Pix's to Cisco ASAs.  I know you can set the ASA to allow traffic back out of the same interface since a couple of customers have requested it.

Hope this helps.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.