Strange routing issue

Unanswered Question
Jun 25th, 2008

I have a strange issue with routing through a PIX firewall. The Firewall has a number of interfaces, only three of which are involved.




I can route from the INSIDE network to the OUTSIDE with no issues. When I try to route from the DMZ to the OUTSIDE there is no connectivity. I can see the access-list counters incrementing, and have checked with a capture, to prove that traffic is entering via the DMZ interface. However a capture shows no traffic exiting via the OUTSIDE interface. However if I put an outbound access-list on the OUTSIDE interface the counters increase.

There is no NAT involved, and all interfaces have the necessary "nat 0" identity statements.

I'm stuck as to where to go from here to debug the issue. Help appreciated!!!

The PIX is running 7.0(4) software.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 06/25/2008 - 12:25

Can you try upgrading to the latest version in the 7.0(X) train?

Also do you have any SNMP commands in your configuration?

Can you post the *sanitized* configs?



mark.j.hodge Thu, 06/26/2008 - 00:52

It is a live environemnt, so I cannot upgrade easily.

Yes, the device is SNMP managed.

The environment is quite complex, and sanitizing the config would take some time. I'm more looking for some way to further debug this myself.

I was under the impression that the last action the PIX takes is to check the outbound access list. As this is being hit what could be preventing traffic from exiting the interface?

Farrukh Haroon Thu, 06/26/2008 - 01:48

Atleast the following can be posted:

show run nat

show run static

show run global

show run access-list

show run access-group




This Discussion