https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302958#M592308 <P>Hi community,</P><P>We configured our 515 PIX to accept VPN Clients (3.6.6 and above) connections, and we do not have any problem to get to the 'inside' and to browse the LAN. Our problem is to get out through the outside with an IP address of the VPN local pool.</P><P>Since we have many important network devices just configured to be accessible only by a specific network, and didn't want to modify the access-list on every one, we decided to create a VPN ip local POOl on the PIX, splitting the pure class C private network configured on the inside of it in two x.x.x.x/25, where the 2nd half is for our VPN Clients. As we 'land' on the PIX and receive an IP address from the local pool, we can go everywhere on every immediatly connected network, but are unable to get out through the outside to reach our network devices with private addressing.</P><P>This are the logs:</P><P></P><P>106011: Deny inbound (No xlate) icmp src outside:10.174.190.130 dst</P><P>outside:10.174.173.2 (type 8, code 0)</P><P></P><P>106011: Deny inbound (No xlate) tcp src outside:10.174.190.130/1057 dst</P><P>outside:10.174.173.2/23</P><P></P><P>We sent this output to the Cisco Output interpreter and as we knew, it stated that the pix is unable to reroute on the same interface a packet wich has same source and destination interface, thinking of it as a security breach. We also noticed that a solution could be a Proxy for various applications or the 'split tunneling' implementation.</P><P>Does anybody know what else could we do?</P><P>Thank a lot in advance</P><P></P><P>Dario Ferroni</P> Fri, 21 Feb 2020 07:25:43 GMT d.ferroni 2020-02-21T07:25:43Z https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302958#M592308 <P>Hi community,</P><P>We configured our 515 PIX to accept VPN Clients (3.6.6 and above) connections, and we do not have any problem to get to the 'inside' and to browse the LAN. Our problem is to get out through the outside with an IP address of the VPN local pool.</P><P>Since we have many important network devices just configured to be accessible only by a specific network, and didn't want to modify the access-list on every one, we decided to create a VPN ip local POOl on the PIX, splitting the pure class C private network configured on the inside of it in two x.x.x.x/25, where the 2nd half is for our VPN Clients. As we 'land' on the PIX and receive an IP address from the local pool, we can go everywhere on every immediatly connected network, but are unable to get out through the outside to reach our network devices with private addressing.</P><P>This are the logs:</P><P></P><P>106011: Deny inbound (No xlate) icmp src outside:10.174.190.130 dst</P><P>outside:10.174.173.2 (type 8, code 0)</P><P></P><P>106011: Deny inbound (No xlate) tcp src outside:10.174.190.130/1057 dst</P><P>outside:10.174.173.2/23</P><P></P><P>We sent this output to the Cisco Output interpreter and as we knew, it stated that the pix is unable to reroute on the same interface a packet wich has same source and destination interface, thinking of it as a security breach. We also noticed that a solution could be a Proxy for various applications or the 'split tunneling' implementation.</P><P>Does anybody know what else could we do?</P><P>Thank a lot in advance</P><P></P><P>Dario Ferroni</P> Fri, 21 Feb 2020 07:25:43 GMT https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302958#M592308 d.ferroni 2020-02-21T07:25:43Z https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302959#M592312 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>what about involving a third interface (VLAN) to route through it to the restricted targets?</P><P></P><P>Regards,</P><P>Milan</P></BODY></HTML> Tue, 01 Jun 2004 09:08:55 GMT https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302959#M592312 milan.kulik 2004-06-01T09:08:55Z https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302960#M592316 <HTML><HEAD></HEAD><BODY><P></P><P>It looks like the error messages your are receiving may be due to the ACL that defines "interesting traffic" for the VPN users. There's a good chance that the NAT 0 statement does not include the subnet of your important network devices. </P><P></P><P>Could you consider posting part of your configuration relating to VPN so we can look through it to assist you further?</P><P></P><P>thanks</P><P>peter</P></BODY></HTML> Tue, 01 Jun 2004 14:30:42 GMT https://community.cisco.com/t5/network-security/pix-unable-to-reroute-packets-through-the-outside/m-p/302960#M592316 pcomeaux 2004-06-01T14:30:42Z