To reboot the PIX or not reboot - that is the question

    I have a head scratcher, brief details and topology:

    DMZ -
    PIX 515 6.3(4) --outside X.X.X.X
    192.168.X.X + other networks

    On the inside of the PIX I have various route statements to several
    networks. One of these is

    I use my DMZ router 172.18.1.X to connect to a number of other routers
    (via the outside interface of the PIX). These routers sit behind a
    Concentrator and use Loopback addresses in range

    The traffic off the DMZ in no-nated.

    My problem, I am simply getting no hits on either my no-nat list or
    accompanying access-list on the PIX.


    access-list nonat permit ip

    access-list blah permit ip

    There is a default route on the PIX pointing to the outside router.
    Talking to my colleague he seems to think the PIX will be forwarding my traffic towards the entry on the inside. I am
    sure that the PIX wouldn't, either way, I cannot understand why I have
    not hits in my no-nat etc.

    The above access-list & nonat entries are just 'tagged on additions' to
    the bottom of pre-configured working lists.

    Anyone have any suggestions ?


  2. He is correct.
    Traffic from the inside to 172.31.233/24 is going to hit the inside
    interface; the PIX would see that the route is through the inside
    interface, and would promptly drop the packet -before- looking at
    any access lists.

    You can create a route for 172.31.233/24 specifically, while still
    keeping your 172.31/16 route. The PIX uses "best match" routing,
    so traffic to 172.31.233/24 would match the specific route
    and traffic to any other 172.31/16 would use the 172.31/16
    route (or get dropped, if the route would have it go back out the
    same interface it came in.)
