I have a pix 515 6.3. Currently have client vpns etc. with no problems. I would like to use my eth4 interface and a separate subnet for vpn clients to hand off to an internal router. I specified a access list with nat (eth4) 0 access-list for this ip range. My internal subnet is 10.1/16 and new client range is 10.80/16. My clients can authenticate and ping the internal router, but all other traffic has no xlate when trying to get to my 10.1 network. Any assistance would be appreciated.
I apologize if the following is too basic. I don't know your level of expertise.
Do the nodes on the 10.1.0.0/16 network have a route back to 10.80.0.0/16?
For example, consider the inside route from the PIX is to a router whose IP is 10.1.1.1. There is a statement on 10.1.1.1 to route the 10.80.0.0/16 subnet to the PIX. This allows you to ping the router. Now, continuing the example, you have a node with IP 10.1.2.50/16 and it has a gw of 10.1.2.1/16. The 10.1.2.1/16 router does not have a route back to PIX, or to the upstream router, and 10.80.0.0/16 hosts will not be able to ping 10.1.2.50.
Routing doesn't seem to be the problem. I have the 2nd inside interface on a vlan port on a 6500 w/msfc. All internal hosts can get to the the 10.80 w/no problem. The pix is dropping the traffic w/ (no xlate 10.80.x.x to 10.255.255.255), but I can't nail down why.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...