Cisco Support Community
Community Member

PIX Architecture & overlapping networks


I have a problem with NAT on a PIX firewall. It is a problem with overlapping IP networks on the inside and outiside network.

To solve that problem I found out, that the IOS router is able to do excactly the same thing as I want it to do.

I would like to solve the overlapping network problem on one NAT device.

I think the problem must be somewhere in the architecture packets are forewared by the PIX.

I always get a "no route to destination" on the pix whereas on the IOS router it works!

Is there a difference in processing packets? Think on PIX NAT is before routing and on the IOS Router NAT is the very last before queueing the packet on the outbound interface. Is that correct? (maybe the outbound ACL is behind NAT?!)

What I am really looking for is a document on the CCO where the processing architecture for the PIX firewall is shown.

I found out there is something like that for IOS Routers but I was not able to find it for PIX!

Thanks a lot



Re: PIX Architecture & overlapping networks


My understanding is that when the PIX says 'no route to destination', it may be due to the missing 'route' commands. In PIX, you can configure two route statements one for inside and one for outside. Basically these will be used as default routes for sending packets. PIX is not designed for routing packets and hence will not be intillligence enough to route packets without the 'route' commands.

Inside-to-outside translation occurs after routing and outside-to-inside translation occurs before routing.

Here is the page that shows NAT order of operation in a router:

Community Member

Re: PIX Architecture & overlapping networks


Thanks for reply.

I think I forgot to say that I have two routes:

One is the default route that points to the internet.

The second is the route that points to the internal network. (that is the problem!) I have an overlapping network

Per example: Packet from inside comes with source ip address and destination ip address

Now I am doing a destination nat with alias command: is destination

Now I have a packet source and destination

I would like that packet being forwarded to outside interface. But that is not possible because of pix knowing that route on inside interface.

PIX does not forward that packet. Router does.

What I wanted to know. What is the difference in the architectures between router and pix forwarding packets.

Can I solve that problem with pix version 6.3???

Thanks Markus

CreatePlease to create content