Routable network "behind" PIX

Unanswered Question
Sep 7th, 2007
User Badges:

Hi guys,

Just wonder if you can give me an idea how to sort out a situation when I have 2 subsequent subnets of /29 bits each, one of them is "in front" of PIX515 (OS ver. 7.1) and the second is "behind". For some reason when I asked ISP to just specify external IP address of PIX as a gateway for second subnet on their router, I couldn't get things connected. However when I've asked to revert things back to what is was before (single /28 bits subnet behind ISP's router, in front of PIX) one of hosts behind PIX has suddenly started sending/receiving traffic through PIX. The other host with similar network settings (just next IP address, belonging to the same subnet as first device) still doesn't behave.

I know that PIX isn't a router, it doesn't work with IP headers, but I just need to know what exactly needs to be done on PIX/hosts/ISP's router to get subnet "behind" PIX routed through?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jon Marshall Sun, 09/09/2007 - 23:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


There is no reason why this shouldn't have worked. Presumably when the ISP added the route for the subnet behind the pix they and you updated the subnet mask on

1) The outside interface of your pix

2) The inside interface of the ISP router.

If the subnet masks weren't updated then this could cause it not to work.

The other option you have is to use private addressing on your internal machines and setup static NAT entries on the pix for these machines using some of the public addressiing from the /28 subnet.



micheljoh Thu, 09/13/2007 - 21:49
User Badges:


Well i am not sure i understand your question correctly, but for traffic going from a lower secrutity interface (outside) to a higher security interface (inside) it needs to either have a state or a access-list and a translation permitting the trafic.

one problem you can have if you added the access-list is that from the inside interface you added dynamic nat example:

nat (inside) 1 0 0

global (outside) 1 interface

what you do then is translating all your inside network ip?s to the outside interface adress.

If this is the case try create an access-list

where you deny inside to specific outside trafic in the nat statement example:

access-list no-nat permit ip X.x.x.x x.x.x.x y.y.y.y y.y.y.y

x= inside network

y= outside network

and then apply it on the nat statement:

nat (inside) 0 access-list no-nat

nat (inside) 1 0 0

global (outside) 1 interface

Hope i understood the question correctly and this help you let me know otherwise!



This Discussion