Strange routing issue

mark.j.hodge · ‎06-25-2008

I have a strange issue with routing through a PIX firewall. The Firewall has a number of interfaces, only three of which are involved.

DMZ

INSIDE

OUTSIDE

I can route from the INSIDE network to the OUTSIDE with no issues. When I try to route from the DMZ to the OUTSIDE there is no connectivity. I can see the access-list counters incrementing, and have checked with a capture, to prove that traffic is entering via the DMZ interface. However a capture shows no traffic exiting via the OUTSIDE interface. However if I put an outbound access-list on the OUTSIDE interface the counters increase.

There is no NAT involved, and all interfaces have the necessary "nat 0" identity statements.

I'm stuck as to where to go from here to debug the issue. Help appreciated!!!

The PIX is running 7.0(4) software.

Farrukh Haroon · ‎06-25-2008

Can you try upgrading to the latest version in the 7.0(X) train?

Also do you have any SNMP commands in your configuration?

Can you post the *sanitized* configs?

Regards

Farrukh

mark.j.hodge · ‎06-26-2008

It is a live environemnt, so I cannot upgrade easily.

Yes, the device is SNMP managed.

The environment is quite complex, and sanitizing the config would take some time. I'm more looking for some way to further debug this myself.

I was under the impression that the last action the PIX takes is to check the outbound access list. As this is being hit what could be preventing traffic from exiting the interface?

Farrukh Haroon · ‎06-26-2008

Atleast the following can be posted:

show run nat

show run static

show run global

show run access-list

show run access-group

Regards

Farrukh

a.alekseev · ‎06-25-2008

show your config