Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 : routing issue + NAT

Hi all,

I have a routing + NAT issue with my PIX 515 (v7.2.4).

Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.

here is my conf :

PIX Version 7.2(4)


interface Ethernet0

nameif outside

security-level 0

ip address Public_IP

ospf cost 10


interface Ethernet1

description Office LAN

speed 100

duplex full

nameif inside

security-level 100

ip address

ospf cost 10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface VoIP-inside

ip verify reverse-path interface DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any inside

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group inbound in interface outside

route outside 203.XXX.XXX.XXX 1

route inside 1

Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.

When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...


Best Regards,


  • Other Security Subjects
Cisco Employee

Re: PIX 515 : routing issue + NAT


can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?

Can you also include the packet-tracer output please.



New Member

Re: PIX 515 : routing issue + NAT


I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.

Example :

Inside network :

PIX inside :

IP of my router in the inside network :

Subnetwork behind my router :

To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping for example.

If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping not working).

As i have ios v7.2.4, i follow this guide : but enabling intra-interface communication is not sufficient.



Re: PIX 515 : routing issue + NAT


If its feasible, add a static route for reaching pointing towards, on each system on the subnet

Cisco Employee

Re: PIX 515 : routing issue + NAT

Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use as your default gw, so the inside-to-inside traffic does not pass the firewall.

However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).

Otherwise, I guess you would need something like:

no global (inside) 1 interface

global (inside) 2 interface

nat (inside) 2 outside

If that does not help, could you please provide the packet-tracer output (from the CLI) ?

This widget could not be displayed.