I have a VPN Concentrator's public interface connected to the PIX's DMZ. The PIX gets a static internet IP thru PPPOE and the DMZ subnet is an internet routable subnet. The private interface of the Concentrator is connected to a private LAN. Ping works fine from the Concentrator itself but when I ping from one of the workstations in the private LAN to the internet, it won't work. Turning on 'debug icmp trace' on the PIX doesn't show anything. What could be the problem?
From what i gather from the info you provided you are saying that the private LAN can not talk to the Internet. If you can ping the PIX from the Concentrator and from the Concentrator to any LAN Clients, I would figure it to be some sort of routing issue on the Concentrator.
First off, do a traceroute from a LAN client to see where it stops
here are some things to consider
is the private lan's default Internet route through the VPN Concentrator, then the PIX?
or is it going straight to the PIX on it's (Inside) interface ? if so, Can you ping the PIX (inside) interface from a LAN client?
do you have the correct default gateways configured on the clients?
do you have the routes configured on the Concentrator (default route 0.0.0.0 pointing out the Concentrator's public interface toward the PIX's DMZ interface IP)?
do you have 'setroute' configured on the PIX default route to 0.0.0.0?
you say that the PIX gets it's "static" IP thru PPPoE (???)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...