firewall 1:
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.20.99.0 255.255.255.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 216.183.93.176 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.42.0.0 255.255.0.0
firewall 2:
access-list todixie_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.230.0 255.255.255.0
10.0.0.0 255.0.0.0
I am unable to ping from 10.20.50.x/24 to 192.168.200.x
192.168.210.x
192.168.220.x
where 10.20.50 is the ip pool for remote access vpn and the 192.168 segments are local segment routed on the core switch behind firewall 2.
As you can see 10.20.50 is a subset of segments on the ACL's.
