Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
2
Replies

PIX Architecture & overlapping networks

m.rainer
Level 1
Level 1

‎05-06-2003 03:02 AM - edited ‎02-20-2020 10:43 PM

Hi,

I have a problem with NAT on a PIX firewall. It is a problem with overlapping IP networks on the inside and outiside network.

To solve that problem I found out, that the IOS router is able to do excactly the same thing as I want it to do.

I would like to solve the overlapping network problem on one NAT device.

I think the problem must be somewhere in the architecture packets are forewared by the PIX.

I always get a "no route to destination" on the pix whereas on the IOS router it works!

Is there a difference in processing packets? Think on PIX NAT is before routing and on the IOS Router NAT is the very last before queueing the packet on the outbound interface. Is that correct? (maybe the outbound ACL is behind NAT?!)

What I am really looking for is a document on the CCO where the processing architecture for the PIX firewall is shown.

I found out there is something like that for IOS Routers but I was not able to find it for PIX!

Thanks a lot

Markus

0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎05-12-2003 07:07 AM

Hi,

My understanding is that when the PIX says 'no route to destination', it may be due to the missing 'route' commands. In PIX, you can configure two route statements one for inside and one for outside. Basically these will be used as default routes for sending packets. PIX is not designed for routing packets and hence will not be intillligence enough to route packets without the 'route' commands.

Inside-to-outside translation occurs after routing and outside-to-inside translation occurs before routing.

Here is the page that shows NAT order of operation in a router:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

0 Helpful

m.rainer
Level 1
Level 1
In response to aghaznavi

‎05-21-2003 06:19 AM

Hi,

Thanks for reply.

I think I forgot to say that I have two routes:

One is the default route that points to the internet.

The second is the route that points to the internal network. (that is the problem!) I have an overlapping network

Per example: Packet from inside comes with source ip address 2.2.2.2 and destination ip address 10.2.2.2.

Now I am doing a destination nat with alias command: 10.2.2.2 is destination 2.2.2.2

Now I have a packet source 2.2.2.2 and destination 2.2.2.2

I would like that packet being forwarded to outside interface. But that is not possible because of pix knowing that route on inside interface.

PIX does not forward that packet. Router does.

What I wanted to know. What is the difference in the architectures between router and pix forwarding packets.

Can I solve that problem with pix version 6.3???

Thanks Markus

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card