There are several items that could give you this type of behaviour on the PIX firewall, however, all of them are just misconfigurations of your PIX.
Most likely one with this kind of message is that you have a static command in place which overlaps whit your address space on the dmz interface, or that you have nat and global commands in place which overlap each other.
If you can post your config (remember to remove passwords and outside IP adresses) I can have a look for you, if you like.
I had exactly the same problem once due to an overlap in static, nat and global commands.
This means you're telling your PIX that all networks within 192.0.0.0/16 resides on the inside interface and that the PIX should proxy-ARP for all these addresses, so also on the address 192.168.161.2 and 192.168.161.3, while in your config it is easy to determine that this is not the case, since the subnet 192.168.161.0/24 resides on your DMZ interface.
It's obvious that you also have subnets within 192.168.x.x on your inside network, but in this case you would have to change the config a little bit to get it work.
Here's the changes on config what should solve your problem:
(repeat this line for every class C network which really resides on the inside network)
(you could also use other subnetmasks to get less lines on your config, but you have to prevent that the network 192.168.161.0/24 falls within this static statements). You have to get ride of this overlap, cause that is what is causin' your troubles.
When all required statics are in place, then remove the static command which is in place right now with the command:
no static (inside,DMZ-slot:3) 192.0.0.0 192.0.0.0 netmask 255.0.0.0 0 0
Then do a clear xlate, and you should be up and running again.
Hope this helps. If things are not clear yet, do not hesitate asking.
Well that certainly explains the problems I was seeing, for instance two of the hosts on the DMZ would randomly loose IP connectivity which seemed crazy because they were on the same subnet therefore wouldn't need to use the DG to 'see' each other.
I made the suggested changes on the PIX and did a clear x but was still having some problems but I'm pretty sure they are just more config issues, I also wanted to re-boot the two servers but I couldn't get into that part of the lab :(
So I need to remove any static that references the dmz subnet (192.168.161.0).
OK then here's another question then!
In order for the hosts on the DMZ to access the internet (which is via a different PIX) I will need to add a static for every external network then?
I have another look Monday.
Thanks for the very thorough explaination.
I did the PIX course a while back but as it was all new I could never see this type of scenario arising, if I could re-do the course I'd have a load more questions ;)
Glad I could help with the first item. You second question is a bit more difficult to explain, if I understand you correctly, then your Internet connection resides on the inside of your network (if we look at this from the dmz). Is this correct?
Anyway, normally for systems to enable them to initiate sessions you will need nat and global statements. Till version 6.2 this was only possible from a high level security interface to a low level security interface, from version 6.3 this is also possible from low level security interface to high level security interface, so, if you´re on 6.3 (or higher *duh :-S*) there´s no need for adding static´s for all networks, just put in a nat and global statement, and prevent you internel traffic from being translated with binding a nat 0 with appropiate access-list to the dmz interface.
If the other PIX which delivers the Interetfeed resides on the outside of the PIX we are talking about then you do not need 6.3, cause earlier version allready support this :-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...