Re: [fw-wiz] Static nat to a distant network?

I might be missing the point of the question (wouldn't be the first
time). I'm not all that familiar with the intricacies of PIX, but I
suppose you *could*. The question is, though, how will the router
between your PIX and the "one-hop-away" network know to route traffic
back to your PIX for Seems to me that if the distant network
is defined as, then that IP address ( is assumed
to be on the "distant" network and your router won't route traffic
headed to off its "own" network over to the PIX. When an ARP
request is generated your PIX won't ever see it to respond, since the
ARP will stay on the "distant" network.

On the other hand, I could be way off...


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Sent: Monday, October 02, 2006 1:31 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Static nat to a distant network?


This is on my Cisco PIX 6.x

Is it possible to do a static nat from my outside interface to a host
which is one hop away from my dmz interface by just putting it in

static (dmz,outside)

outside =
dmz =
distant network

Thank you.

firewall-wizards mailing list
firewall-wizards mailing list

Relevant Pages

  • PIX 515E dropping existing TCP connections
    ... I recently took over administration of a PIX 515E. ... network, and VPN to the PIX to access a private network. ... When the VPN is connected, I can SSH to hosts on the private network. ... PIX drops the connection after transferring just a few kilobytes. ...
  • Re: [fw-wiz] bypassing PIX limitation
    ... setup another Pix box who's sole purpose is to connect to the ... Hopefully the following information will be clearer: The network behind ... assign the outside ip block from the partner to your global ... Can packets going into a VPN tunnel be NATed? ...
  • [fw-wiz] Followup: An interesting VPN problem
    ... - Repeat above steps for the remote PIX, ... all traffic on the remote network is pushed ... > (including the traffic that should ultimately end up on the Internet). ... > that to work (using source routing), but I'd like to use a peripheral ...
  • RE: [fw-wiz] Re: IP aliasing behind a PIX
    ... > network behind the PIX, but ... >> IPs behind a PIX firewall. ... >> network, the aliases work fine (i.e., the machines are accessible using ...
  • Re: Too many firewalls?
    ... > can't see it on my network places. ... If you just had the PIX 501 connected to the modem and nothing else, ... 501 would use the ISP's DNS servers, the machines connected to the PIX, ... So what that there are three or four machines that the PIX is protecting, ...