Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 with 2 internal interfaces

I have a pix 515 6.3. Currently have client vpns etc. with no problems. I would like to use my eth4 interface and a separate subnet for vpn clients to hand off to an internal router. I specified a access list with nat (eth4) 0 access-list for this ip range. My internal subnet is 10.1/16 and new client range is 10.80/16. My clients can authenticate and ping the internal router, but all other traffic has no xlate when trying to get to my 10.1 network. Any assistance would be appreciated.

4 REPLIES
New Member

Re: PIX 515 with 2 internal interfaces

I apologize if the following is too basic. I don't know your level of expertise.

Do the nodes on the 10.1.0.0/16 network have a route back to 10.80.0.0/16?

For example, consider the inside route from the PIX is to a router whose IP is 10.1.1.1. There is a statement on 10.1.1.1 to route the 10.80.0.0/16 subnet to the PIX. This allows you to ping the router. Now, continuing the example, you have a node with IP 10.1.2.50/16 and it has a gw of 10.1.2.1/16. The 10.1.2.1/16 router does not have a route back to PIX, or to the upstream router, and 10.80.0.0/16 hosts will not be able to ping 10.1.2.50.

New Member

Re: PIX 515 with 2 internal interfaces

Routing doesn't seem to be the problem. I have the 2nd inside interface on a vlan port on a 6500 w/msfc. All internal hosts can get to the the 10.80 w/no problem. The pix is dropping the traffic w/ (no xlate 10.80.x.x to 10.255.255.255), but I can't nail down why.

New Member

Re: PIX 515 with 2 internal interfaces

I'm not sure what you mean by no xlate. Since you are doing a nat 0 on the VPN traffic, no translations are performed, and there wouldn't be any corresponding xlate entries...right?

From what I understand about Cisco firewalls, an xlate entry is only created when an address translation is needed. I think you not seeing xlates on VPN traffic is normal for a PIX.

New Member

Re: PIX 515 with 2 internal interfaces

In looking at my syslog, all traffic other than pings generate a no xlate error.

190
Views
0
Helpful
4
Replies