Routing Problem

Unanswered Question
Jun 20th, 2007


i hav got Cisco PIX, one of my interface ip address on this is, this pix is connected to the core switch which is 3COM switch layer 3, it has got 2 ip address &

i had given route to reach via, with this PIX could able to ping, which is nothing but the ip address of 3COM switch.

route inside

3COM default gateway IP address is

my PC ip address is, gateway is, with this i can't ping, where as if i set my gateway ip address as, i could able to ping, no access-list nothing configured on 3COM as well as on Cisco PIX for & network.

my question is, if PIX could able to reach, then why not my PC which is having the PIX ip address as gateway couldn't reach?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
mahmoodmkl Wed, 06/20/2007 - 02:29


Here what i think is the normal behaviuor.The ip address and will be directly connected on the 3 com switch.Any uknown traffic will be forwarded to the PIX.

As ur 3 com will be routing between the two subnets.



Anand S Wed, 06/20/2007 - 03:03

Hi Mahmood,

but when PIX is able to reach the, why not the PC which is having the gateway IP address of PIX can't reach

any more suggestions, mahmood i am not clear with your answer, it doesn't contain anything value points on to it.

leighharrison Wed, 06/20/2007 - 06:05

Hello there,

The issue here is to do with ICMP.

When your pc sends out a ping to it realises that it is not on the same subnet and thus sends the request to it's default gateway - in your case - the PIX firewall.

The PIX firewall then recieves the request for and knows that it's beck through the interface it come in on. So what should happen is it will send your PC an ICMP redirect message to tell you where to find the network (via the 3com switch rather than the PIX)

This is an option that needs to be turned on for the PIX.

The better way to do it would be to point the PC's default gateway to the 3com switch. Then you should have no problems!

Hope this helps,


** Please rate all posts **

Anand S Wed, 06/20/2007 - 19:26

3COM switch has got 2 ip address,

default gateway ip address is


PIX IP address

route inside


PC ip address

gateway ip address is this is what i have set already.

any suggestions?

Anand S Wed, 06/20/2007 - 22:49

this is the message i get in the log on the pix for the above.

Jun 21 11:13:25 %PIX-3-106011: Deny inbound (No xlate) icmp src inside: dst inside: (type 8, code 0

leighharrison Thu, 06/21/2007 - 00:24

Hi there,

The problem here is the icmp redirect on the PIX.

The easiest way to sort this is to make the default gateway of your PC the 3com switch ( - try that and let me know how it goes!


** Please rate all posts **

Anand S Thu, 06/21/2007 - 00:29


as i mentioned in the previous post, if i set as the gateway to my PC, it works fine, only if i set the PIX( as a gateway to the PC it is not working.

my question again is, if PIX could able to reach, then why not my pc having gateway ip address as PIX is not able to ping.

leighharrison Thu, 06/21/2007 - 00:40


The problem is to do with icmp redirecting on the PIX.

The traffic flow will not go in nto the PIX and then out from the PIX back out of the same interface it came in on to the 3COM switch.

The PIX will send your PC an icmp redirect message and your PC will send the traffic straight to the 3COM switch.

On the 3COM switch, the imcp redirect will be on by default. On the PIX icmp redirects are turned off for security reasons.

Have a look at this question (at the bottom) on this page:-

Q. Can I operate the PIX in a "one armed" configuration?

Have a look here for more information on icmp:-

Hope that helps!


** Please rate all posts **

Anand S Thu, 06/21/2007 - 02:12

Oh no,

the explanation for what exactly i am looking for is really superb "Q. Can I operate the PIX in a "one armed" configuration? " & i do agree with that, but ultimately now i need to rely on 3COM not on Pix to set as a gateway.

any how thanks for the link providing.


This Discussion