To reboot the PIX or not reboot - that is the question

Discussion in 'Cisco' started by Darren Green, Mar 14, 2006.

  1. Darren Green

    Darren Green Guest

    All,

    I have a head scratcher, brief details and topology:


    DMZ - 172.18.1.0
    /
    PIX 515 6.3(4) --outside X.X.X.X
    /
    inside
    192.168.X.X + other networks

    On the inside of the PIX I have various route statements to several
    networks. One of these is 172.31.0.0/16.

    I use my DMZ router 172.18.1.X to connect to a number of other routers
    (via the outside interface of the PIX). These routers sit behind a
    Concentrator and use Loopback addresses in range 172.31.233.0/24.

    The traffic off the DMZ in no-nated.

    My problem, I am simply getting no hits on either my no-nat list or
    accompanying access-list on the PIX.

    e.g.

    access-list nonat permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    access-list blah permit ip 172.18.1.0 255.255.255.0 172.31.233.0
    255.255.255.0

    There is a default route on the PIX pointing to the outside router.
    Talking to my colleague he seems to think the PIX will be forwarding my
    172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
    sure that the PIX wouldn't, either way, I cannot understand why I have
    not hits in my no-nat etc.

    The above access-list & nonat entries are just 'tagged on additions' to
    the bottom of pre-configured working lists.

    Anyone have any suggestions ?

    Regards

    Darren
    ------
     
    Darren Green, Mar 14, 2006
    #1
    1. Advertisements

  2. In article <dv7fbk$hp5$-infra.bt.com>,
    Darren Green <> wrote:
    >PIX 515 6.3(4)


    >I use my DMZ router 172.18.1.X to connect to a number of other routers
    >(via the outside interface of the PIX). These routers sit behind a
    >Concentrator and use Loopback addresses in range 172.31.233.0/24.


    >There is a default route on the PIX pointing to the outside router.
    >Talking to my colleague he seems to think the PIX will be forwarding my
    >172.31.233.0 traffic towards the 172.31.0.0/16 entry on the inside. I am
    >sure that the PIX wouldn't,


    He is correct.

    >either way, I cannot understand why I have
    >not hits in my no-nat etc.


    Traffic from the inside to 172.31.233/24 is going to hit the inside
    interface; the PIX would see that the route is through the inside
    interface, and would promptly drop the packet -before- looking at
    any access lists.

    You can create a route for 172.31.233/24 specifically, while still
    keeping your 172.31/16 route. The PIX uses "best match" routing,
    so traffic to 172.31.233/24 would match the specific route
    and traffic to any other 172.31/16 would use the 172.31/16
    route (or get dropped, if the route would have it go back out the
    same interface it came in.)
     
    Walter Roberson, Mar 14, 2006
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Neil
    Replies:
    25
    Views:
    1,191
    Kline Sphere
    Jan 27, 2006
  2. milo

    to leave computer on or of ? that is the question

    milo, Feb 18, 2004, in forum: Computer Information
    Replies:
    7
    Views:
    886
    Jerry G.
    Feb 19, 2004
  3. iam23m
    Replies:
    0
    Views:
    1,106
    iam23m
    Oct 27, 2006
  4. Jasen

    To buy or not to buy, that is the question

    Jasen, Sep 9, 2005, in forum: Digital Photography
    Replies:
    11
    Views:
    767
    Skip M
    Sep 9, 2005
  5. ashjas
    Replies:
    1
    Views:
    727
    =?ISO-8859-1?Q?R=F4g=EAr?=
    Jul 11, 2006
  6. nobody760
    Replies:
    1
    Views:
    883
  7. Lawrence D'Oliveiro

    Reboot, reboot, reboot

    Lawrence D'Oliveiro, Mar 6, 2009, in forum: NZ Computing
    Replies:
    12
    Views:
    2,904
    Lawrence D'Oliveiro
    Mar 7, 2009
Loading...