PIX not allowing traffic from Inside Interface to device in DMZ

Unanswered Question
Mar 27th, 2009
User Badges:

I am working at a client site. We have an issue where a PIX Firewall is not allowing access to a device in a DMZ network from devices on the Inside interface.

Here are the security levels of the interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

Network is off of the inside interface. Network is the DMZ (DMZ interface address is

I have ran captures this morning and determined that 1) traffic destined for a device in the network makes it to the inside interface and 2) traffic seen on the inside interface for this device never makes it into the DMZ.

There is not an ACL in place on the DMZ interface, and right now I cannot determine why the Firewall is blocking this traffic.

I am going to include the running configuraton of this.

The device we are trying to connect to is The device we are trying to connect from is

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
acomiskey Fri, 03/27/2009 - 10:09
User Badges:
  • Green, 3000 points or more

static (inside,DMZ) netmask

Kevin Melton Fri, 03/27/2009 - 11:21
User Badges:

thanks for the response. I implemented the static tranlsation as published, but unfortunantly it did not resolve the issue. We still cannot get from to

This is a very strange problem. I ran "capture" on the inside interface, and was able to see frames on that interface destined for I then placed the capture on the DMZ interface, and you never see the frames. I am not sure why the FW is blocking...

Kevin Melton Tue, 03/31/2009 - 07:49
User Badges:

should the ip address for next hop (ip add) be the address of the device in the dmz? or the IP address of the dmz interface on the PIX?


acomiskey Tue, 03/31/2009 - 07:59
User Badges:
  • Green, 3000 points or more is directly connected, you do not need a route to it.

Kevin Melton Tue, 03/31/2009 - 08:03
User Badges:

You are exactly correct. It displayed the following when I tried to add the route the other gentleman suggested:

ODEC-RS-FW(config)# route dmz

Route already exists

ODEC-RS-FW(config)# route dmz

Route already exists

ODEC-RS-FW(config)# sho route

outside 1 OTHER static

outside 1 CONNECT static

inside 1 OTHER static

inside 1 CONNECT static

DMZ 1 OTHER static

DMZ 1 CONNECT static


acomiskey - - do you have any other recommendations as to what to configure next. We are really stuck on this issue...


acomiskey Tue, 03/31/2009 - 08:15
User Badges:
  • Green, 3000 points or more

Please post your new configuration.

Take this line out, you don't need it...

no access-list DMZ_nat0_outbound permit ip

Kevin Melton Tue, 03/31/2009 - 08:56
User Badges:


At present it seems that negating the ACL statement that you recommended may have resolved the problem. I need to confirm this by the local users on that site.

I will update you once this is confirmed and mark post "resolved issue"

Thanks for your guidance with this!

acomiskey Tue, 03/31/2009 - 09:08
User Badges:
  • Green, 3000 points or more

The reason you don't need that nat 0 on the dmz interface is because you already had one defined on the inside interface for the traffic between .43 and .155. So you have 2 options here...

nat (inside) 0 access-list nonat

access-list nonat extended permit

OR another way to accomplish the same thing...

static (inside,DMZ) netmask


This Discussion