09-10-2009 07:54 AM - edited 03-11-2019 09:14 AM
HI,
we have using PIX 515E and connected a site to site vpn between headoffice and branch office
In our PIX we used three interface
O/S - X.X.80.5
I/S - 10.195.21.X -------Vlan 5 in core switch
I/S 2 - 10.195.1.X ------vlan 6 in core switch
the VPN are working between I/S 2 and remote office but when i ping 10.195.21.X its not pinging
interface Ethernet1
nameif inside
security-level 100
ip address 10.195.21.X 255.255.255.0
!
interface Ethernet2
nameif inside2
security-level 80
ip address 10.195.1.X 255.255.255.0
the config is
access-list 101 extended permit ip 10.195.0.0 255.255.0.0 192.168.14.0 255.255.255.0
access-list 124 extended permit ip 10.195.0.0 255.255.0.0 192.168.14.0 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list 101
nat (inside2) 1 0.0.0.0 0.0.0.0
whether it will work if i add no nat for inside also
or need to some ACL to allow remote network to access inside network
09-10-2009 08:50 AM
Looks like you also need a nat 0 for inside.
access-list 102 extended permit 10.195.21.0 255.255.255.0 192.168.14.0 255.255.255.0
nat (inside) 0 access-list 102
then fix the net and mask for your other acl...
access-list 101 extended permit ip 10.195.1.0 255.255.255.0 192.168.14.0 255.255.255.0
nat (inside2) 0 access-list 101
09-10-2009 09:13 AM
can i use the same access-list 101 for inside also
like nat (inside) 0 access-list 101
is any problem using this
09-10-2009 09:17 AM
Like this?
access-list 101 extended permit ip 10.195.0.0 255.255.0.0 192.168.14.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside2) 0 access-list 101
Yes you can, it should work that way, but it is better to separate them in my opinion.
09-10-2009 09:26 AM
is there any specfic reason for seperating the access-list
09-10-2009 09:30 AM
It looks nicer!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: