The ip from the three pix are the following :

- X.X.X.5 netmask 255.255.255.0

- x.x.x.9 netmask 255.255.255.248

- x.x.x.62 netmask 255.255.255.192

The ip of the router is x.x.x.33 netmask 255.255.255.128

The ip of the DNS server is the x.x.x.46 netmask 255.255.255.0 and I have config the pix with the netmask 192 to send the traffic of the ip 46 the a host in the internal network. I have configured the internal host to use the pix as gateway, but for any reason, the traffic is being received from a different route.

Any idea or suggestion, please.

With regards to the ip addresses and netmasks of the pix and router devices - are those addresses on the outside interfaces (towards your external net service provider)? Or are they the inside addresses on your internal network?

Where does the router fit in in the topology?

From what I have seen so far, you have two choices:

1. Re-address the dns server so that it has an inteface that outside of your network, the requests only get routed to one of the pix units.

2. Use pix 6.3 code on all of your pix units and do outside dynamic nat/global whereby you nat the outside requestor address to a different value on each pix unit, and then make adjustments on your internal routing so that the reply goes back to the proper pix before it gets sent to the true requestor.

Which method you use is dependant upon how your topology is set - namely do all three pix units connect to the same service provider (or same set of routers) for external connectivity, or do they all connect to different networks (similar as a point-to-point frame-relay network).

If you can, please post your topology and indicate how the pix units relate to your internal and external connectivity, as this would clarify how to best solve this problem.

All the ip listed before are external ip addresses. I have a router with a frame relay connected to a switch with two different vlans (one for internal and one for external) and I have different routers that use the frame relay as gateway.

That is why I don't know exactly if there is any problem using three different pix in the outside network. Before I had got a DNS server direcly using an external ip address, but now if I put it in the internal networks and configure a pix to route its traffic, the traffic is being received from a different route. I think that because the pix creates well the xlate. So I on't know if I have to remove any routes created in the routers or in the switch.

I know that I can solve this with an static route in the router, but is not the best solution, because my routers in the external network can't see the DNS server in the internal one.

Any ideas, please.

Please post the route statments that are configured on the router as well as each pix. It sounds to me that only some of your external traffic will flow thru the router and some will not, but I can't be sure until I see the route statments. Also, if the switch is a layer 3 switch, then post its route statements as well.

I have solved it by removing the arp table in the router and ip route table.

So I think that it saved the arp address of the external host and when I put in behind the firewall it continues sending it to the same arp address, which is not in the external net.

So finally I have been able to solve it. My switch is a 2950 XL series, I will check if it is a layer 3 switch to have it present in the future.

Thank you very much for your help..