To reboot the PIX or not reboot - that is the question

Discussion in 'Cisco' started by Darren Green, Mar 14, 2006.

  1. Darren Green

    Darren Green Guest

    All,

    I have a head scratcher, brief details and topology:


    DMZ - 172.18.1.0
    /
    PIX 515 6.3(4) --outside X.X.X.X
    /
    inside
    192.168.X.X + other networks

    On the inside of the PIX I have various route statements to several
    networks. One of these is 172.31.0.0/16.

    I use my DMZ router 172.18.1.X to connect to a number of other routers
    (via the outside interface of the PIX). These routers sit behind a
    Concentrator and use Loopback addresses in range 172.31.233.0/24.

    The traffic off the DMZ in no-nated.

    My problem, I am simply getting no hits on either my no-nat list or
    accompanying access-list on the PIX.

    e.g.

    access-list nonat permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    access-list blah permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    There is a default route on the PIX pointing to the outside router.
    Talking to my colleague he seems to think the PIX will be forwarding my
    172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
    sure that the PIX wouldn't, either way, I cannot understand why I have
    not hits in my no-nat etc.

    The above access-list & nonat entries are just 'tagged on additions' to
    the bottom of pre-configured working lists.

    Anyone have any suggestions ?

    Regards

    Darren
    ------
     
    Darren Green, Mar 14, 2006
    #1
    1. Advertisements

  2. He is correct.
    Traffic from the inside to 172.31.233/24 is going to hit the inside
    interface; the PIX would see that the route is through the inside
    interface, and would promptly drop the packet -before- looking at
    any access lists.

    You can create a route for 172.31.233/24 specifically, while still
    keeping your 172.31/16 route. The PIX uses "best match" routing,
    so traffic to 172.31.233/24 would match the specific route
    and traffic to any other 172.31/16 would use the 172.31/16
    route (or get dropped, if the route would have it go back out the
    same interface it came in.)
     
    Walter Roberson, Mar 14, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.