PIX 515 : routing issue + NAT

Unanswered Question
Oct 12th, 2009
User Badges:

Hi all,

I have a routing + NAT issue with my PIX 515 (v7.2.4).

Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.

here is my conf :

PIX Version 7.2(4)


interface Ethernet0

nameif outside

security-level 0

ip address Public_IP

ospf cost 10


interface Ethernet1

description Office LAN

speed 100

duplex full

nameif inside

security-level 100

ip address

ospf cost 10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface VoIP-inside

ip verify reverse-path interface DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any inside

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group inbound in interface outside

route outside 203.XXX.XXX.XXX 1

route inside 1

Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.

When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...


Best Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Mon, 10/12/2009 - 22:21
User Badges:
  • Cisco Employee,


can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?

Can you also include the packet-tracer output please.



IT-Volubill Tue, 10/13/2009 - 02:10
User Badges:


I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.

Example :

Inside network :

PIX inside :

IP of my router in the inside network :

Subnetwork behind my router :

To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping google.com for example.

If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping google.com not working).

As i have ios v7.2.4, i follow this guide : http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3 but enabling intra-interface communication is not sufficient.



dhananjoy chowdhury Tue, 10/13/2009 - 02:24
User Badges:
  • Silver, 250 points or more


If its feasible, add a static route for reaching pointing towards, on each system on the subnet

Herbert Baerten Tue, 10/13/2009 - 02:35
User Badges:
  • Cisco Employee,

Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use as your default gw, so the inside-to-inside traffic does not pass the firewall.

However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).

Otherwise, I guess you would need something like:

no global (inside) 1 interface

global (inside) 2 interface

nat (inside) 2 outside

If that does not help, could you please provide the packet-tracer output (from the CLI) ?


This Discussion