• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

PIX inside to outside subnet problem

I am having a problem setting up the inside-to-outside connection on a PIX-515 with 3 interfaces - inside, outside, and DMZ.  We are using a test network prior to implementation.

I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned.  Our assigned public IP subnet is with 62 host IPs.  The ISP router is assigned .66.  I assigned .65 to the PIX outside interface.  I set up a static outside route gateway

Our publicly accessible servers in the DMZ off the firewall use a private IP net (  I set the 6 current DMZ servers to static NAT to 6 of the the public IPs assigned at the firewall ( - .87), and I provided access rules to allow desired services (SSH, HTTP, etc.)  This interface appears to be working ok.

I am not allowed to set up the inside interface as a private IP net and NAT (long story), so I set up the network on the PIX Inside interface as subnet which has an allowable host IP range of 97-126.  I assigned the PIX inside port as .97.

I was under the assumption the PIX would allow traffic to flow from a higher (inside) interface to a lower (Outside) interface as long as there were access rules or translation rules in place.

When I look at the translation rules, there is already a default to use the same original address for inside to outside interface.  This seemed ok since the inside subnet is a further division of the assigned public Class C subnet.

However, from an inside workstation, I cannot access any system on the outside interface (same test systems I can access from the DMZ using NAT), even when I establish a specific access rule for the service I desire (e.g., SSH).  Help.
  • 2
1 Solution
>>>There is already a default to use the same original address for inside to outside interface

what exactly is this default NAT you are referring to in commands?

With the masks that you propose, your subnets overlap.
You would have to change the outside interface to the same mask with 30 hosts:
 ip address outside
 ip address inside
 route outside

Now you still need NAT inside to outside, so add this (same same inside,outside):
 static (inside,outside) netmask

What version PIX OS do you have? Ver 6.3 or 7.0?
Version 7.0 has a feature to bypass nat without that static command, but I believe it is global and would break you current static nat's for the servers in the DMZ.

Version 6.x requires the static
taccompAuthor Commented:
Since I submitted this question, I went back and changed the outside interface to "" (searching for a solution), but it did not work either.  [I replaced actual Class C address with 192.168.200 in this reply]

Show config from CLI:
     access-list inside_access_in permit ip any any
     ip address outside
     ip address inside
     ip address dmz
     nat (inside) 0 0 0
     [all following statics following this pertain to dmz,outside nat]
     route outside 1

From PDM, the window shows:
    Interface inside
    IP address:   Mask:
   Translate address to:
    X  Dynamic    Address pool:  "same address"
                Pool ID
                N/A       No address pool defined

Thanks for the quick response.  I'm getting short on my implementation date and really appreciate any help.

>    nat (inside) 0 0 0
The nat zero command was not exactly designed to do what you want to do. Suggest the static command:

no nat (inside) 0 0 0
clear xlate
static (inside,outside) netmask


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now