PIX firewall

Posted on 2008-11-15
Last Modified: 2012-06-27
We have a cisco router that has a public IP address on the outside interface.  the inside interface needs to pass traffic to a Cisco PIX firewall maintained by the customer.

The customer wants to us our network as a second route to the Internet by assigning IP address that connects to our Cisco router.

Their PIX has a primary Internet connection via another provider.
We can get to the Internet via our router, however, the PIX is not passing traffic to and from the customer PIX.

Does anyone have the necessary configs?  Is this a NAT issue?  If this is a NAT issue, can anyone provide me with the proper configs?
Question by:wwtruebtv
    LVL 4

    Assisted Solution


    I believe the problem may be that the Pix does not allow packets to route back out the same interface they are received on (security feature).  If the client's default gateway is the Pix, then the Pix will not be able to send the packets back into the network to find another gateway.  You would need to use another routing device on the inside of the network to route in either direction.

    Author Comment

    TNL Engr

    Thank you for your reply.  The client has a Cisco engineer who said that he should be able to this.

    I believed what you said as the issue, but was shot down by the customer.

    It worked once before but we gave them a public IP for their PIX which we are not willing to do.

    Am I hearing you make the suggestion that they add a Cisco router as the PIX gateway for their Interface and point it to our router?

    thank you for your respone
    LVL 14

    Expert Comment

    post your Pix config.
    LVL 4

    Expert Comment

    If I understand your network properly, one way of doing it would be to place a router inside the network which would route to either the customer's Pix or to your router.  Use the new router as the default gateway for their clients, and assign the two routes to the Internet.  Of course, you could simply use your Cisco router as the default gateway, but then their traffic would try to exit via your Internet connection first, instead of as a backup.

    I don't know if there is any way to bypass this particular feature of the Pix firewall.  Hopefully, someone else will respond if it is possible.  I recently changed over the majority of my clients with Pix's to Cisco ASAs.  I know you can set the ASA to allow traffic back out of the same interface since a couple of customers have requested it.

    Hope this helps.
    LVL 33

    Accepted Solution

    I'm backing up the statement from TNL_Engr.    The PIX will not route back into the same interface.   The Cisco ASA's can do this with subinterfaces, but not the pix.   You will need another device to do the routing.    

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now