https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532936#M527117 <HTML><HEAD></HEAD><BODY><P>I apologize if the following is too basic. I don't know your level of expertise.</P><P></P><P>Do the nodes on the 10.1.0.0/16 network have a route back to 10.80.0.0/16? </P><P></P><P>For example, consider the inside route from the PIX is to a router whose IP is 10.1.1.1. There is a statement on 10.1.1.1 to route the 10.80.0.0/16 subnet to the PIX. This allows you to ping the router. Now, continuing the example, you have a node with IP 10.1.2.50/16 and it has a gw of 10.1.2.1/16. The 10.1.2.1/16 router does not have a route back to PIX, or to the upstream router, and 10.80.0.0/16 hosts will not be able to ping 10.1.2.50.</P><P></P></BODY></HTML> Sun, 26 Feb 2006 07:59:52 GMT riteshsynchro 2006-02-26T07:59:52Z https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532935#M527115 <P>I have a pix 515 6.3. Currently have client vpns etc. with no problems. I would like to use my eth4 interface and a separate subnet for vpn clients to hand off to an internal router. I specified a access list with nat (eth4) 0 access-list for this ip range. My internal subnet is 10.1/16 and new client range is 10.80/16. My clients can authenticate and ping the internal router, but all other traffic has no xlate when trying to get to my 10.1 network. Any assistance would be appreciated.</P> Fri, 21 Feb 2020 08:44:14 GMT https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532935#M527115 gdeangelis 2020-02-21T08:44:14Z https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532936#M527117 <HTML><HEAD></HEAD><BODY><P>I apologize if the following is too basic. I don't know your level of expertise.</P><P></P><P>Do the nodes on the 10.1.0.0/16 network have a route back to 10.80.0.0/16? </P><P></P><P>For example, consider the inside route from the PIX is to a router whose IP is 10.1.1.1. There is a statement on 10.1.1.1 to route the 10.80.0.0/16 subnet to the PIX. This allows you to ping the router. Now, continuing the example, you have a node with IP 10.1.2.50/16 and it has a gw of 10.1.2.1/16. The 10.1.2.1/16 router does not have a route back to PIX, or to the upstream router, and 10.80.0.0/16 hosts will not be able to ping 10.1.2.50.</P><P></P></BODY></HTML> Sun, 26 Feb 2006 07:59:52 GMT https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532936#M527117 riteshsynchro 2006-02-26T07:59:52Z https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532937#M527119 <HTML><HEAD></HEAD><BODY><P>Routing doesn't seem to be the problem. I have the 2nd inside interface on a vlan port on a 6500 w/msfc. All internal hosts can get to the the 10.80 w/no problem. The pix is dropping the traffic w/ (no xlate 10.80.x.x to 10.255.255.255), but I can't nail down why.</P></BODY></HTML> Sun, 26 Feb 2006 17:15:16 GMT https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532937#M527119 gdeangelis 2006-02-26T17:15:16Z https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532938#M527121 <HTML><HEAD></HEAD><BODY><P>I'm not sure what you mean by no xlate. Since you are doing a nat 0 on the VPN traffic, no translations are performed, and there wouldn't be any corresponding xlate entries...right?</P><P></P><P>From what I understand about Cisco firewalls, an xlate entry is only created when an address translation is needed. I think you not seeing xlates on VPN traffic is normal for a PIX.</P><P></P><P></P></BODY></HTML> Sun, 26 Feb 2006 18:24:25 GMT https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532938#M527121 riteshsynchro 2006-02-26T18:24:25Z https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532939#M527123 <HTML><HEAD></HEAD><BODY><P>In looking at my syslog, all traffic other than pings generate a no xlate error. </P></BODY></HTML> Mon, 27 Feb 2006 22:50:47 GMT https://community.cisco.com/t5/network-security/pix-515-with-2-internal-interfaces/m-p/532939#M527123 gdeangelis 2006-02-27T22:50:47Z