To reboot the PIX or not reboot - that is the question

Discussion in 'Cisco' started by Darren Green, Mar 14, 2006.

  1. Darren Green

    Darren Green Guest


    I have a head scratcher, brief details and topology:

    DMZ -
    PIX 515 6.3(4) --outside X.X.X.X
    192.168.X.X + other networks

    On the inside of the PIX I have various route statements to several
    networks. One of these is

    I use my DMZ router 172.18.1.X to connect to a number of other routers
    (via the outside interface of the PIX). These routers sit behind a
    Concentrator and use Loopback addresses in range

    The traffic off the DMZ in no-nated.

    My problem, I am simply getting no hits on either my no-nat list or
    accompanying access-list on the PIX.


    access-list nonat permit ip

    access-list blah permit ip

    There is a default route on the PIX pointing to the outside router.
    Talking to my colleague he seems to think the PIX will be forwarding my traffic towards the entry on the inside. I am
    sure that the PIX wouldn't, either way, I cannot understand why I have
    not hits in my no-nat etc.

    The above access-list & nonat entries are just 'tagged on additions' to
    the bottom of pre-configured working lists.

    Anyone have any suggestions ?


    Darren Green, Mar 14, 2006
    1. Advertisements

  2. He is correct.
    Traffic from the inside to 172.31.233/24 is going to hit the inside
    interface; the PIX would see that the route is through the inside
    interface, and would promptly drop the packet -before- looking at
    any access lists.

    You can create a route for 172.31.233/24 specifically, while still
    keeping your 172.31/16 route. The PIX uses "best match" routing,
    so traffic to 172.31.233/24 would match the specific route
    and traffic to any other 172.31/16 would use the 172.31/16
    route (or get dropped, if the route would have it go back out the
    same interface it came in.)
    Walter Roberson, Mar 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.