I might be missing the point of the question (wouldn't be the first
time). I'm not all that familiar with the intricacies of PIX, but I
suppose you *could*. The question is, though, how will the router
between your PIX and the "one-hop-away" network know to route traffic
back to your PIX for Seems to me that if the distant network
is defined as, then that IP address ( is assumed
to be on the "distant" network and your router won't route traffic
headed to off its "own" network over to the PIX. When an ARP
request is generated your PIX won't ever see it to respond, since the
ARP will stay on the "distant" network.

On the other hand, I could be way off...


This is on my Cisco PIX 6.x

Is it possible to do a static nat from my outside interface to a host
which is one hop away from my dmz interface by just putting it in

static (dmz,outside)

outside =
dmz =
distant network

Thank you.

