From dmz to subinterface on inside (PIX 515E)

Unanswered Question
May 18th, 2007
User Badges:


I'm trying to get a few of our machines on dmz to communicate with a TSM server which is located on a subnet on the inside. But I can't get it to route traffic out on the subinterface I have created in the pix, it keeps using the dmz as output interface, instead of the subinterface.

Server on dmz:

Subinterface on inside interface: (name: BackupLAN)

TSM server: (name: TSMserver)

The following NATs are used:

static (BackupLAN,dmz) TSMserver TSMserver netmask

static (dmz,BackupLAN) netmask

The following route is created:

route BackupLAN TSMserver 1 ( is a switch which passes the traffic on to the TSM server)

There is also a security policy for incoming on dmz which only allows traffic with destination port 1500 to be passed on.

When running the Packet tracer in ASDM, the result is that the packet is allowed, but both input and output interface is dmz, output interface should be BackupLAN.

Is there something I have forgot to configure? Or is anything wrong configured?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 05/18/2007 - 05:35
User Badges:
  • Green, 3000 points or more

Could you post a show route.

marasthlm Tue, 05/22/2007 - 23:33
User Badges:

Here are the routes:

Gateway of last resort is to network

C is directly connected, BackupLAN

S TSMserver [1/0] via, BackupLAN

C is directly connected, outside

C is directly connected, dmz

C is directly connected, inside

S* [1/0] via, outside

laurent.geyer Fri, 05/18/2007 - 07:24
User Badges:

What security level is configured for BackupLAN and dmz? Also, which network does the TSMserver sit on?

marasthlm Tue, 05/22/2007 - 23:42
User Badges:

BackupLAN has securitylevel 100, dmz has 10

The TSMserver resides on a remote network. From the PIX the link goes via a local switch ( in the configuration) and then to a remote switch (still in the .120 subnet) and then it reaches the TSMserver

Jon Marshall Wed, 05/23/2007 - 00:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Firstly what is the second static doing ie.

static (dmz,BackupLAN) netmask

This is not needed as far as i can see so maybe remove it and see if that makes any difference. I can't see why it would at the moment but your config/routing looks okay.

Also can you ping the TSMServer from the pix firewall itself


marasthlm Wed, 05/23/2007 - 06:56
User Badges:

It doesn't do much really. Put it there in case of need or something. But it's no difference without that NAT rule.

I can't ping the TSMserver from the PIX, eventhough I choose the BackupLAN interface in the ping console.


This Discussion