PIX inside to outside subnet problem

Posted on 2006-04-24
Last Modified: 2010-04-09
I am having a problem setting up the inside-to-outside connection on a PIX-515 with 3 interfaces - inside, outside, and DMZ.  We are using a test network prior to implementation.

I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned.  Our assigned public IP subnet is with 62 host IPs.  The ISP router is assigned .66.  I assigned .65 to the PIX outside interface.  I set up a static outside route gateway

Our publicly accessible servers in the DMZ off the firewall use a private IP net (  I set the 6 current DMZ servers to static NAT to 6 of the the public IPs assigned at the firewall ( - .87), and I provided access rules to allow desired services (SSH, HTTP, etc.)  This interface appears to be working ok.

I am not allowed to set up the inside interface as a private IP net and NAT (long story), so I set up the network on the PIX Inside interface as subnet which has an allowable host IP range of 97-126.  I assigned the PIX inside port as .97.

I was under the assumption the PIX would allow traffic to flow from a higher (inside) interface to a lower (Outside) interface as long as there were access rules or translation rules in place.

When I look at the translation rules, there is already a default to use the same original address for inside to outside interface.  This seemed ok since the inside subnet is a further division of the assigned public Class C subnet.

However, from an inside workstation, I cannot access any system on the outside interface (same test systems I can access from the DMZ using NAT), even when I establish a specific access rule for the service I desire (e.g., SSH).  Help.
Question by:taccomp
    LVL 9

    Expert Comment

    >>>There is already a default to use the same original address for inside to outside interface

    what exactly is this default NAT you are referring to in commands?

    LVL 79

    Accepted Solution

    With the masks that you propose, your subnets overlap.
    You would have to change the outside interface to the same mask with 30 hosts:
     ip address outside
     ip address inside
     route outside

    Now you still need NAT inside to outside, so add this (same same inside,outside):
     static (inside,outside) netmask

    What version PIX OS do you have? Ver 6.3 or 7.0?
    Version 7.0 has a feature to bypass nat without that static command, but I believe it is global and would break you current static nat's for the servers in the DMZ.

    Version 6.x requires the static

    Author Comment

    Since I submitted this question, I went back and changed the outside interface to "" (searching for a solution), but it did not work either.  [I replaced actual Class C address with 192.168.200 in this reply]

    Show config from CLI:
         access-list inside_access_in permit ip any any
         ip address outside
         ip address inside
         ip address dmz
         nat (inside) 0 0 0
         [all following statics following this pertain to dmz,outside nat]
         route outside 1

    From PDM, the window shows:
        Interface inside
        IP address:   Mask:
       Translate address to:
        X  Dynamic    Address pool:  "same address"
                    Pool ID
                    N/A       No address pool defined

    Thanks for the quick response.  I'm getting short on my implementation date and really appreciate any help.

    LVL 79

    Expert Comment

    >    nat (inside) 0 0 0
    The nat zero command was not exactly designed to do what you want to do. Suggest the static command:

    no nat (inside) 0 0 0
    clear xlate
    static (inside,outside) netmask


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Suggested Solutions

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now