Ok, but the second route is not the default route to our gateway. It's our email server and not part of the default route. It was put in the config by PDM, I think, and I can't remove it in PDM or cli.

then i don't know ... but if you can post a copy of your config and a "sh route" , we may see where the problem is.

Is this route giving you a specific problem ?

Here is the show route: the top one is our ISP address and it works ok. the middle is the inside address and that works ok. the bottom one is the problem: this is an email server on our network and not a default route of any kind. I am unable to remove it via cli or pdm. when I go back to factory defaults, it shows up again.

sh route

outside 0.0.0.0 0.0.0.0 xx.xx.163.30 1 OTHER static

inside 10.xxx.xx.0 255.255.255.0 10.xxx.xx.72 1 CONNECT static

outside xx.xx.103.0 255.255.255.0 xx.xx.103.138 1 CONNECT static

pix501#

xx.xx.103.138 is the ip address of your outside interface, and the route is ok. The route says that the subnet xx.xx.103.0 255.255.255.0 is directly connected to that interface. You probably say that

xx.xx.103.138 is your mail server because you have a static translation but it's primarily your PIX outside IP . So everything is normal here.

a.b.c.138 is our pix outside

a.b.c.136 is our email server.

I noticed in pdm settings, the mask was 255.255.255.252 which is wrong and probably why the pix thinks this is a direct route outside. I still cannot delete it. So I have to outside routes which will cause routing problems, I think.

If you say a.b.c.136 is our email server, i don't say any specific route statement related to it. Stop trying to delete this route , it's your normal outside subnet directed connect route. You have a similar one for your inside subnet and the third route is your default route.

Here's what I did. In the hosts/networks outside, I changed the subnet mask for a.b.c.136 from a.b.c.252 to a.b.c.0. That removed .136 and shows a.b.c.0 with outside inteface .138 under it.

However, when I sh route outside, .136 shows up again. I also have .133 and .135 nat servers and they don't appear as outside routes, so why just .136?. I think because I messed up the mask originally, pix is confused.

sh route

outside 0.0.0.0 0.0.0.0 xx.xx.163.30 1 OTHER static

inside 10.xxx.xx.0 255.255.255.0 10.xxx.xx.72 1 CONNECT static

outside xx.xx.103.0 255.255.255.0 xx.xx.103.138 1 CONNECT static

.136 ???? i don't see .136

Yes, I fixed the subnet mask problem and now the 2nd outside route is that bottom line. Still don't need it according to Cisco but it does not seem to break anything. Thanks much for all your time on this.