Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need more help with firewall issue :(

Ok I think it's how I have the network setup but I am not sure how to get around this problem.

we have two machines and 61 is the proxy and can get out to the internet

we want all web traffic to go through this for reporting purposes.

the proxy has a router setting as which is the pix.

the web server - (also our exchagne server) has a router settig as - so the wan users can access it but can't get to the internet unless it uses the proxy.

i did the debug and I can see the inbound - outside ->> but i don't see the outbound traffic.

if i ping the proxy's outside address it works.

why isn't this setup working? if the original request looks like it came from the pix which is on the same subnet , shouldn't it return the reply to the pix and the pix knows what to do with it?

please put me straight :)



  • Other Security Subjects
New Member

Re: Need more help with firewall issue :(


1) Does the pix has an access-list to permit to go to the internet?

2) The pix doesn't act as a router. A packet cannot be redirect on the same interface it came from. The packet will be simply dropped by the PIX.

Hope this help


New Member

Re: Need more help with firewall issue :(

yes but i found out the problem is on the web server - since there isn't a route for internet traffic it drops it. I asked about adding a route but they (the powers to be) may not want to do that.

i have 6 interfaces installed on this pix system. i have two nics in my web. can i configure one of the interfaces to work in this situation?

New Member

Re: Need more help with firewall issue :(

I don't understand why your lan/wan manager may not want to make a route to your PIX. What's there point ? This is an efficient solution.

I'd prefer add a route than trying to fool with a second IP address on a server.

Install 2 nic's (1 inside and 1 in DMZ) is not a best practice in security. Why can't you install your WEB server in a DMZ. This is the place where it belongs. Use a switch to plug your server to your pix. If you don't have one I'm not sure but you may have to use a cross-over cable.

But to answer your question, yes it can be done.


This widget could not be displayed.