Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What's the way out?

Hi guys,

Just got a pix 515E but have a problem with designing my current with this new device. I hope any expert here can kindly provide me with some advice. The problem goes here...

My one and only router have 2 interfaces(fa0/0<connect to my ISP>, fa0/1<internal network>). It performs NAT that translates all ip addresses to On top of that, it also does site2site VPN with another network( with all the configuration inside this router. What the other side sees our network is

The Cisco PIX 515E that we just bought has 6 interfaces. what I intend to do is to have 5 subnets(,,,, been assigned to each of the 5 internal PIX interfaces.

The problem here is I do not want change the router's site2site VPN configuration. How can I achieve this if I assign the subnetwork inside the PIX? If so, what should be the ip address be assign to the router's fa0/1 and the PIX e0(connect to the router fa0/1)? How to make sure that the other VPN site network still see us as when most of the stuffs has change? Where should the NAT be functioning this time?

Thank you guys in advance.


Re: What's the way out?

providing the decision has been made and it is to keep the lan-lan vpn as well as the nat/pat on the router, the pix should not perform any nat/pat, at least between the inside and outside interface.

just wondering what version of os the pix is running. for v6.x, no-nat needs to be specifically configured; whereas with v7.x, simply do "no nat-control" will do.

below is a simplified topology:

www <--> router <--> <--> pix <--> inside


a static route needs to be configured for subnet 10.10.10.x and the rest pointing to the pix outside interface (ip

nat/pat configuration may need to be updated for the new subnets. i.e., etc.


inbound acl is required to permit the vpn traffic. e.g. access-list inbound permit ip

default gateway should be set to the router fa0/1 interface (ip

New Member

Re: What's the way out?

The pix is running on v6.3 but will be upgrading to v7 pretty soon.

Due to my first time playing pix, I simulated a test case scenario yesterday and wanted the 5 internal subnets(e1,e2,e3,e4,e5) to be able to route traffic within a pix.

When I did a static route to route e1 to e2 and vice versa, it gave me a error that route already exist. Ok fine, I thought. but it just couldnt ping through.

Then I add 2 rules to let the 2 subnets of Ip addrs to pass through their own interface to inorder to ping. Pix prompt me whether I want to have NAT between them or else I can't add the rules. I allow the NAT function to be added between the subnets and it proved to be able to ping between them. Now must be NAT to be on inorder for the rules to work between the subnets?

Is there anyone who can advice me again?


Re: What's the way out?

as mentioned in my last post, nat/global is a must with v6.x.

to disable nat/global between those 5 interfaces. assuming dmz2 has lower security level than dmz1:

static (dmz1,dmz2) netmask

static (dmz2,dmz1) netmask

access-list dmz2_in_dmz1 permit icmp any any

access-group dmz2_in_dmz1 in interface dmz2

further, static route is not required for pix to route between those 5 interfaces as they are directly connected to the pix.

CreatePlease login to create content