The PIX Firewall version 6.x does not allow one-armed routing. This means that the packet is not allowed to go back to the same interface, which it hits. This is in compliance with the basic adaptive security algorithm of the PIX Firewall.
Refer to the Can I operate the PIX in a one-armed configuration? section of Cisco Secure PIX Firewall Frequently Asked Questions for more information on one-armed routing.
The workaround for this issue is to connect a router behind the PIX Firewall or a Layer 3 switch for which there needs to be two logical interfaces configured with interVLAN routing enabled.
Refer to Configuring InterVLAN Routing with Catalyst 3750/3560/3550 Series Switches for more information on this configuration.
It is possible to start PIX version 7.x one-armed routing, which means that packets can enter and exist the same interface. Enter the same-security-traffic permit intra-interface command in order to enable this feature.
Refer to PIX/ASA 7.x:Intra-Interface Communications for more information.
Compatibility or Support
Firewall - PIX 500 series