• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 685
  • Last Modified:


I'm having an issue where I can sit on the PIX and ping everything on the internal network. I can ping everything I've allowed on the external network as well. However, I can't get traffic across the NAT to ping. Here's the config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname another-fw1
access-list outside_access_in permit ip host NAMED-SOMETHING any
access-list outside_access_in permit icmp object-group icmp-sources any
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group outside_access_in in interface outside
route outside 1
route inside

Lame Layout Example

Without route to internal router
outside 1 OTHER static (What I added)
outside 1 CONNECT static (Shows by default since it's the interface)
inside 1 CONNECT static (Shows by default since it's the interface)

When I ping I get:
No route to from "Where I'm at" on the PIX debug log...

When I add the 172.16.x.x route
outside 1 OTHER static
outside 1 CONNECT static
inside 1 OTHER static
inside 1 CONNECT static

When I ping now... I don't get the "No Route" but I don't get replies either.

Reminder, I can ping everything on the internal and external network from the PIX. However, Outisde in and Inside out doesn't work even though it's allowed...

If I changed the NAT'd devices gateway to the PIX, then it works fine. BTW: The gateway isn't mine and I'm sure there isn't any type of route pointing back to me. I'm typically coming in from an external IP and I guess that my traffic is getting pushed out another direction once it hits their network.

So, would Source NAT work? Never used it.. So, I have no idea.
  • 3
1 Solution
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
remove the defaut route from inside, you need only one default route pointing to the next hop through outside interface. If you have subnets not directly connected on the inside add static routes to these subnets on the inside interface. enable nat control so all traffic going through the router will be natted so the third party router will see only traffic coming from the pix outside interface.
mikefunkAuthor Commented:
Sorry, that's not the right answer...   I pointed out that removing the default internal route causes all ping/other requests to generate the "No route to.." error.
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I didn't say  only remove the default route to inside I suggested to replace it with more specific static routes to subnets which are not directly connected to inside. Also I suggested that because you can't add missing routes to the third party router, bringing back traffic to your subnets, may be you could try and nat all traffic leaving the inside interface. May be I am wrong, it is just a suggestion.
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I tried this and it works if you want to translate outside traffic to inside interface ip address. this example is from my lab, I am sure you can adapt it to your topology.

access-list outside_inside_icmp extended permit icmp
access-list outside_inside_nat extended permit ip

global (inside) 10 interface
global (outside) 1 interface
nat (inside) 1
nat (outside) 10 access-list outside_inside_nat outside
static (inside,outside) netmask

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now