To reboot the PIX or not reboot - that is the question

Discussion in 'Cisco' started by Darren Green, Mar 14, 2006.

  1. Darren Green

    Darren Green Guest

    All,

    I have a head scratcher, brief details and topology:


    DMZ - 172.18.1.0
    /
    PIX 515 6.3(4) --outside X.X.X.X
    /
    inside
    192.168.X.X + other networks

    On the inside of the PIX I have various route statements to several
    networks. One of these is 172.31.0.0/16.

    I use my DMZ router 172.18.1.X to connect to a number of other routers
    (via the outside interface of the PIX). These routers sit behind a
    Concentrator and use Loopback addresses in range 172.31.233.0/24.

    The traffic off the DMZ in no-nated.

    My problem, I am simply getting no hits on either my no-nat list or
    accompanying access-list on the PIX.

    e.g.

    access-list nonat permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    access-list blah permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    There is a default route on the PIX pointing to the outside router.
    Talking to my colleague he seems to think the PIX will be forwarding my
    172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
    sure that the PIX wouldn't, either way, I cannot understand why I have
    not hits in my no-nat etc.

    The above access-list & nonat entries are just 'tagged on additions' to
    the bottom of pre-configured working lists.

    Anyone have any suggestions ?

    Regards

    Darren
    ------
    Darren Green, Mar 14, 2006
    #1
    1. Advertising

  2. In article <dv7fbk$hp5$-infra.bt.com>,
    Darren Green <> wrote:
    >PIX 515 6.3(4)


    >I use my DMZ router 172.18.1.X to connect to a number of other routers
    >(via the outside interface of the PIX). These routers sit behind a
    >Concentrator and use Loopback addresses in range 172.31.233.0/24.


    >There is a default route on the PIX pointing to the outside router.
    >Talking to my colleague he seems to think the PIX will be forwarding my
    >172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
    >sure that the PIX wouldn't,


    He is correct.

    >either way, I cannot understand why I have
    >not hits in my no-nat etc.


    Traffic from the inside to 172.31.233/24 is going to hit the inside
    interface; the PIX would see that the route is through the inside
    interface, and would promptly drop the packet -before- looking at
    any access lists.

    You can create a route for 172.31.233/24 specifically, while still
    keeping your 172.31/16 route. The PIX uses "best match" routing,
    so traffic to 172.31.233/24 would match the specific route
    and traffic to any other 172.31/16 would use the 172.31/16
    route (or get dropped, if the route would have it go back out the
    same interface it came in.)
    Walter Roberson, Mar 14, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. admin too
    Replies:
    0
    Views:
    462
    admin too
    Oct 21, 2004
  2. Zknb

    Can not connect to LAN after reboot

    Zknb, Dec 25, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    462
  3. Mike
    Replies:
    3
    Views:
    3,042
    R. McCarty
    Oct 17, 2005
  4. leuzz
    Replies:
    3
    Views:
    564
  5. Lawrence D'Oliveiro

    Reboot, reboot, reboot

    Lawrence D'Oliveiro, Mar 6, 2009, in forum: NZ Computing
    Replies:
    12
    Views:
    935
    Lawrence D'Oliveiro
    Mar 7, 2009
Loading...

Share This Page