Configuring Pix behind a Pix

Unanswered Question
Feb 27th, 2009


We have one Pix sitting as f/w for our servers. I now want to configure another pix, whose outside interface is on the same subnet as the inside interface of the first Pix. The second Pix will be infront of our LAN, so you can consider the servers to be in a DMZ. the outside Pix is working fine, so i dont really want to touch that too much.

I have setup the second Pix pretty much the same as the first, however, I cannot seem to ping between dmz and LAN. With the same setup on the first pix, i can ping between the internet and dmz.

The only difference is, that the outside Pix has Natting, and i want to avoid it on the inside one, although if it is needed, then that is fine.

Internet --- Pix1 ---- Servers --- Pix2 ---- LAN

Any ideas of where i should look first ?

Thank you in advance.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
Jon Marshall Fri, 02/27/2009 - 04:35


Depending on the Pix version of software you could either

1) turn off nat ie. no nat-control


2) use static entries ie. assuming your LAN is

static (inside,outside) netmask

Both the above are changes you make on the new pix.


smbtest12 Fri, 02/27/2009 - 05:07


Thanks for your fast response !!

I have opted for the first option, although i also tried option 2. However, neither seem to be working. We are using Pix version 8.02 for both PIX's

The LAN security is 100

The Servers are 50

The outside of Pix1 is 0

So essentially, the inside int of Pix1 and outside int of Pix2 are both on 50, and i have allowed hosts on the same security level to talk to each other.

For Pix1, i have the following Static routes (if that helps)

route outside 1

route outside LAN 1

(where is our router/gateway to the internet)

For Pix2, i have the following Static routes

route outside 1

Where is the internal IP range of the DMZ

thanks a lot


Jon Marshall Fri, 02/27/2009 - 05:27


Where are your trying to communicate from and where to ? eg. IP addresses etc.

Have you allowed the access with acl's ?

Could you provide some more detail.


smbtest12 Fri, 02/27/2009 - 06:12

Sorry Jon, for the confusion

The following apply



The DMZ IPs translate statically to on the outside int of Pix1. So on the inside we have


Outside interface -

Inside interface -

We want the hosts on the LAN to be able to talk to the DMZ hosts, which by nature of a firewall it should, as it is outbound. (but it isnt)

We also want communication from (DMZ) to the LAN controlled by ACLs (which have been setup)





PIX with Static Nat


( = DMZ





Hope this helps


Jon Marshall Fri, 02/27/2009 - 07:17


What is the default-gateway set to on the servers in the DMZ. If it is set to Pix1

1) Have you enabled hairpinning on that pix - i suspect you have because of your statement "i have allowed hosts on the same security level to talk to each other"

2) Your route -

route outside LAN 1

this should read -

route inside LAN1


smbtest12 Fri, 02/27/2009 - 08:33


The default gateway for the DMZ is the inside interface of Pix1,

1. We did not enable hairpinning as it was a real big issue, and in the end we edited host files for internal communication.

2. I have changed the static route as you have mentioned.

Now, we re getting somewhere. I can TS and ping both ways, from DMZ to LAN and vice versa. I cannot however access the internet from the LAN (but can from DMZ). Both TCP and UDP port 53 are open as well as http inbound on Pix1 and Pix2. I have a DNS server in the DMZ which i have made my DNS server for the LAN host for now. I can ping and TS both ways from and to, but cannot access the web. Perhaps there is still a small config adjustment to be made.

Thanks for your help


Jon Marshall Fri, 02/27/2009 - 10:49


If you have NAT turned off then your internal addresses will not be changed so they will go out onto the Internet as 192.168.5.x which are not routable. Unless you have a catchall NAT statement on pix that translates all addresses arriving on it's inside interface.

If you don't need you need to modify pix1 to include 192.168.5.x in it's NAT statements so these addresses are Natted to a public IP before going onto the Internet.


smbtest12 Mon, 03/02/2009 - 06:13

Hi Jon

Thanks for the suggestion, I got internet working, i can TS from LAN to dmz. I cannot ping from LAN to dmz, am i good to assume that this is because ICMP is not stateful connection, and my NAT is setup as follows


global (Outside) 1 interface

nat (inside) 1

In other words, as the ASDM shows, everything on the range goes out through the inside interface and is mapped as the Outside interface. The arrow direction is outbound, there is nothing to show, inbound.

If this is the case, can you please advise how I can enable pinging from LAN to DMZ, and further to that if i can allow communication from DMZ to LAN, as this was working when i had no NATting.

Thanks a lot


Jon Marshall Mon, 03/02/2009 - 07:33


static (inside,dmz) netmask

then you need to have an acl on the DMZ interface to allow traffic into the LAN. Be careful with the acl, it should follow this logic

1) allow ICMP back to LAN

2) allow any ports from DMZ to LAN you want

3) deny all other traffic from DMZ to LAN

4) Permit all other traffic

without 4) the DMZ will not be able to communicate to other addresses reachable via different interfaces.


smbtest12 Mon, 03/02/2009 - 08:34


OK Thanks, but i am a little stuck.

1) was already in ACL

2) was already configured

3) there is an implicit rule which denies all inbound traffic on IP, after all the ACLs have been implemented. As you know, the outside interface of Pix2 sits in the inside-network/24 of Pix1, hence I assume I can use this implicit rule for 3)

4) Is this to be input into Pix1 or Pix2 ? if so, how do you go about with this rule ?

thanks a lot


Jon Marshall Mon, 03/02/2009 - 09:24


Have you set up the NAT statement at the start of my last post ie.

static (inside,dmz) netmask


smbtest12 Mon, 03/02/2009 - 09:32

Jon, yes i put that in, I ended up with two Nat statements

The first is the one i had, which says all the hosts in the Lan are translated to the IP of the outside interface. This works a treat as it started to allow web access, and TS into the DMZ. It didnt allow pinging because i think ICMP is stateless. (but i could not ping into the LAN as their IPs were being translated to the outside of the Pix2 nor could i TS into the LAN)

When I added your suggestion, that created some confusion in the system, so i removed my NAT stmt and left yours in. This allowed TS and ping both ways but didnt allow access to internet. I have the hosts pointing to a DNS server sittiing in the LAN.



Jon Marshall Mon, 03/02/2009 - 09:35


Is there any chance of posting config of both pix firewalls or at the least the inside pix firewall ?


smbtest12 Tue, 03/03/2009 - 03:04

Ok Jon, I have attached here the config for the inside Pix.


Jon Marshall Tue, 03/03/2009 - 04:58


Okay i see where i went wrong. I forgot that what we are calling the DMZ is not actually another interface on inside pix but still the outside interface. So when i asked you to add that other NAT statement that would indeed have created confusion. Apologies for that.

The reason i suspect that just adding my statement didn't work is because the outside pix does not how to route back to So you could either

1) remove your existing nat & global statements, add the following

static (inside,outside)

and make sure that the outside pix has a route back to the network via the outside interface of the inside pix


we could try policy NAT ie.

access-list inside_to_dmz permit ip

** static (inside,outside) access-list inside_to_dmz

** Note - i don't have a pix/ASA to test on. The above syntax is not quite right - it could be

static (inside,outside) access-list inside_to_dmz

or it might be some other combination. Apologies for being vague but i haven't confugured this in a while and i've forgotten the exact syntax.


smbtest12 Tue, 03/03/2009 - 07:07


Thanks, i tried both methods, but wasnt successful with either. I am attaching the pix config for Pix1. (19x.yyy.zzz is a public IP range)

Which interface does the Static Route from Pix1 to come from, is it inside or outside ? It is a little confusing, because in this case, the traffic from Pix1 travels on the inside of the f/w to Pix2 through the Outside interface of Pix2, but doesnt necessarily go through the inside interface of Pix1, am i right in thinking this is so ?

So i tried both methods and wasnt successful, however the Packet tracer seems to show that there is communication between both and, i have tried different ports and different protocols.

Thanks for your help

Jon Marshall Tue, 03/03/2009 - 07:28


The key parts of the config are -

1) Your Natting

global (outside) 1 interface

global (outside) 3 19x.yyy.zzz.9 netmask

global (inside) 1 interface

static NATTING here between inside and outside for all hosts on 1-2-1

Apart from the fact you have global statements with no corresponding nat statements there is no natting for the IP addresses. The easiest way to fix this is

nat (inside) 4

global (outside) 4 interface

HOWEVER - because i can't make much sense of your NAT config on this firewall you need to be very careful. I can't guarantee it won't break anything. What you do need to do is ensure that 192.168.5.x addresses are translated to public IP(s).

Is there a chance some of the NAT config is missing ?

Also the 1-2-1 NAT's, are these all for 192.168.105.x servers ?

2) Routing -

route outside 2

This route should read -

route inside 2


smbtest12 Mon, 03/09/2009 - 04:18

Hi Jon

Sorry its been a few days, i had taken time off. Just to let you know, that I managed to get it working thanks to your help throughout.

Essentially what i did, was to use the points you gave me in your replies, and created double-natting, so the same way i got the servers in the DMZ talking to the outside, i got the LAN hosts talking to the outside, albeit using static IPs, double natting them all the way to the internet

I would just like to say that i am really glad i bumped into you on this forum as you have really helped me out. I am by no means an expert and your help has really been appreciated.

Many thanks




This Discussion