Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ network overlap issue

Dear all,

I have a PIX 515e with 3 interfaces (LAN, DMZ, Internet). The DMZ is on a network, which is now causing issues when packets that want to go out of our Internet interface need to talk to other addresses (this interface is not directly attached to the Internet, so are routable).

Is it possible to set-up the PIX so that it doesn't try route all traffic out of the DMZ int ?

I have tried configuring static routes pointing to the on the internet int but this does not seem to work - any ideas ?




Re: DMZ network overlap issue

Let me guess, you have the following command on your config:

static (inside,dmz) netmask

If this true?

If yes, you´re thinking wrong and have to re-config your PIX

If no, you most likely have a overlapping NAT statement somewhere in your config.

It will help if you post your config and explain some more detail on what you try to achieve.

Kind Regards,


New Member

Re: DMZ network overlap issue


When you added the statics for the other networks did you use a netmask other than /8? If so, the PIX should have chosen the more specific route and forwarded traffic accordingly. If you used an 8-bit netmask on the static routes, the PIX will still forward traffic destined for the networks out of the connected interface.

Are all of your networks configured with an 8-bit netmask? If so, then it sounds like you may have discontiguous address space configured. Basically, because you're using an 8-bit netmask on your DMZ network, the PIX thinks that any IP address that has 10 as it's first octet can be found on that connected interface. Is it possible to change the netmask on your DMZ network to something other than a /8 - like using a 16-bit or 24-bit netmask? That way, traffic destined for your DMZ network will get forwarded to that interface, all other traffic should get forwarded out of your Internet interface by your default route.

Hope this helps!


New Member

Re: DMZ network overlap issue

Rich (and all),

Thanks for all the info.

Instead of altering the netmask of the DMZ network, I have configured a couple of static routes that point to the outside networks.

We have also had to re-hash the translation exemption rules, as they were originally configured to allow private LAN addresses straight through to the DMZ without going through the NAT process. This seemed to cause issues when inside addresses wanted to go out, via NAT, to the outside world i.e. they had a statement that said No NAT to DMZ, as well as one that said NAT to outside world.

Anyway, seems to work now.



CreatePlease to create content