Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)

Hi Charles

This is because the external IP doesn't exist at all. The PIX accepts the
packet from the Internet, changes the addressing to map the
internal->external NAT and sends it on in. A return packet is handled in

When you try that on the inside of the network, the packet is handled by the
default route and sent onto the outside interface. At that point, the packet
disappears into the bit-bucket because the PIX does not turn the packet
around and send it back inside. In fact, I'm not even sure that the NAT
rules come into play in this scenario, AFAIK, the rules apply to traffic
inbound to an interface after the access-lists apply. PIX 7 is supposed to
be able to hairpin an interface, but I've never configured this and cannot
supply any further information on this feature.

It may (unless your programs are too complex) be easier to get the servers
to talk to each other on the internal 10.x ip addresses instead.

If I've made any glaring mistakes, please feel free to reeducate me :_)


Bruce Smith
Firewall Administrator
Nelson Mandela Metropolitan University
South Africa


From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles
Sent: Tuesday, June 06, 2006 3:54 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I

Hello everyone, I apologize if this is a question that has been answered
previously (this is my first time joining the list, and posting to it as
well) - I looked through some of the archives and couldn't find anything
that addressed it (or maybe its likely that I don't know how to properly
describe the issue).

I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM 5.04 (the newest of
both). - I had my friend help me setup the box at his datacenter and for the
most part its been working, except I realized recently once we moved all the
servers behind it (they're all Virtual Machines running on a single box -
which should be irrelevant I suppose) the machines were then unable to
communicate with each other using their public IP #'s.

Where this became obvious is that, I have 2 SMTP servers, one Exchange
server and another is part of Plesk Hosting panel - when users on one system
email users on another - they're using the domain name, which
can't be resolved because those servers can't communicate on the public
equivalents of what has been NAT'd to the private network which resides on

A good way to describe is - if I go on a machine, it has IP of
(internal) which is NAT'd to an external IP of (outside) -
coming from the general Internet, if I hit that IP #, I would get a ping
back, as well as a connection to the web server on there. - If I try to do
the same FROM that machine, or from any other machine on the PIX, it can't
find the route to connect.

Does this make sense?

Can anyone maybe offer any advice or guidance in the matter?

If anyone might be able to lend some assistance I would be most grateful.

Thank you,


firewall-wizards mailing list

Relevant Pages

  • [fw-wiz] RE: PIX v7: routing without NAT
    ... Create another private network and assign it to your inside interface ... for the servers that need access to it from the internet. ... servers behind my PIX 515E to use the public IP ...
  • Re: OWA placement
    ... Thanks for the reply..We have ISA 2004 EE servers in the DMZ for web ... PIX ... If I use ISA OWA publishing, what ports on the inside PIX do I need to open? ... highly secure way of publishing applications like OWA to the internet, ...
  • RE: Windows Server 2003 DNS behind a Cisco PIX firewall... help!
    ... > - Users outside on the public internet can see our servers just fine. ... My secondary DNS server can not load the zone information from the ... check access rules or NAT translation on PIX, can you, for example, ping ...
  • Re: Cannot ping public ip from internal
    ... > Network are as follows: ... > system from outside the internet. ... > Telnet to Pix and cannot ping from the pix. ... Even if you could turn the packet around the ...
  • Re: Static and Source IP when on the Internet
    ... static as a source IP when going to the Internet? ... Yes on the PIX. ... but there is also the UDP case: each UDP packet is considered ...