Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routable network "behind" PIX

Hi guys,

Just wonder if you can give me an idea how to sort out a situation when I have 2 subsequent subnets of /29 bits each, one of them is "in front" of PIX515 (OS ver. 7.1) and the second is "behind". For some reason when I asked ISP to just specify external IP address of PIX as a gateway for second subnet on their router, I couldn't get things connected. However when I've asked to revert things back to what is was before (single /28 bits subnet behind ISP's router, in front of PIX) one of hosts behind PIX has suddenly started sending/receiving traffic through PIX. The other host with similar network settings (just next IP address, belonging to the same subnet as first device) still doesn't behave.

I know that PIX isn't a router, it doesn't work with IP headers, but I just need to know what exactly needs to be done on PIX/hosts/ISP's router to get subnet "behind" PIX routed through?

  • Firewalling
Hall of Fame Super Blue

Re: Routable network "behind" PIX


There is no reason why this shouldn't have worked. Presumably when the ISP added the route for the subnet behind the pix they and you updated the subnet mask on

1) The outside interface of your pix

2) The inside interface of the ISP router.

If the subnet masks weren't updated then this could cause it not to work.

The other option you have is to use private addressing on your internal machines and setup static NAT entries on the pix for these machines using some of the public addressiing from the /28 subnet.



New Member

Re: Routable network "behind" PIX


Well i am not sure i understand your question correctly, but for traffic going from a lower secrutity interface (outside) to a higher security interface (inside) it needs to either have a state or a access-list and a translation permitting the trafic.

one problem you can have if you added the access-list is that from the inside interface you added dynamic nat example:

nat (inside) 1 0 0

global (outside) 1 interface

what you do then is translating all your inside network ip?s to the outside interface adress.

If this is the case try create an access-list

where you deny inside to specific outside trafic in the nat statement example:

access-list no-nat permit ip X.x.x.x x.x.x.x y.y.y.y y.y.y.y

x= inside network

y= outside network

and then apply it on the nat statement:

nat (inside) 0 access-list no-nat

nat (inside) 1 0 0

global (outside) 1 interface

Hope i understood the question correctly and this help you let me know otherwise!