Cisco Support Community
Community Member

PIX with two internal networks


here's my setup:





Cisco 1721





Cisco PIX 501










For some reason, I can't reach the subnet from a client PC. I have added a static route to the PIX (route inside 1) which will allow me to ping the remote network from the PIX, but not from my network. I seem to be missing something. This setup works fine with another NAT box in place of the PIX, so the netopias are configured fine.

Anyone with any insights, my config follows:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname rtpdpix

domain-name rtpd.local

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any any eq 9054

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside a.b.c.1

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface 9054 9054 netmask 0 0

access-group 100 in interface outside

route outside a.b.c.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server a.b.c.d source outside

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80

: end


Re: PIX with two internal networks


This is because you have your PIX as the default gateway for the 192.168.0.x subnet. The PIX cannot receive a packet on an interface and then send it back out that same interface. Your going to need to make your default gateway the Netopia for the 192.168.0.x subnet and then configure the routing on it.

Hope that helps..

Community Member

Re: PIX with two internal networks

>> The PIX cannot receive a packet on an interface and then send it back out that same interface

after posting i did read a bit on the PIX and came to that conclusion, as it doesn't send icmp redirects back to the client, but I hadn't thought of using the netopia as the default gateway, i was prepared to return the pix and get an ethernet to ethernet router, as the only solution I could think of was to add static routes to all the client pc's (a big pain, and inelegant)

thanks for the suggestion.

CreatePlease to create content