Showing results for 
Search instead for 
Did you mean: 

Pix 515 2 "inside" networks


I have a pix 515 with 4 port nic installed. I have outside setup with public ip inside setup up with private ip of one of my inside subnets and eth2 on ex card setup with different private subnet on our network. I need to be able to access internet from both private subnets throught the same outside ip. Seems like it should be simple enough to just copy the nat rule for the first network which is working. Do I need to change security levels on nic?

Thanks for your time

6 Replies 6


Hi David,

Yes you need not do much, just let me explain you by an example:

you have 3 interafce, lets say, inside, outside and dmz:

since inside is highere security zone for you, security level would be 100

outside is less secure, level should be 0

dmz is mid-security zone so level could be 50, although you can change it to 100 as well, thats your requirement.

for internet access:

nat (inside) 1

global (outside) 1 interface

nat (dmz) 1

thats it, both the inside and dmz woudl take the public ip on outside interafce and should be able to access the internet.

Hope this helps



Varun Rao

Thank you Varun

after checking I am still having trouble. I have internet when plugging into "server"  nic on the pix. I then clear xlate , and clear arp , change ip info on pc nic, plug into courthouse and sheriff and I get no where, cant even ping pix ip for that subnet can you see anything wrong with config:

PIX-GW# show run

: Saved


PIX Version 8.0(4)


hostname PIX-GW


enable password 2Vnffa/98HkYTtlJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0

nameif outside

security-level 0

ip address 167.*.#.%


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2

nameif Sheriffs

security-level 99

ip address


interface Ethernet3

nameif Courthouse

security-level 98

ip address


interface Ethernet4


no nameif

no security-level

no ip address


interface Ethernet5


no nameif

no security-level

no ip address


ftp mode passive

dns server-group DefaultDNS

domain-name dn.local

pager lines 24

mtu inside 1500

mtu Sheriffs 1500

mtu Courthouse 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101

nat (Sheriffs) 101

nat (Courthouse) 101

route outside 167.*.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp


service-policy global_policy global

prompt hostname context


: end

Hi david,

Plz provide me the captures when you plug the internet to the sherrif and courthouse interface, here is how to take them:

access-list cap permit ip host any

access-list cap permit ip any host

capture caps access-list cap interface sherrif

capture capo access-list cap interface outside

Try connecting to internet after that, and collect the output of "show capture caps" and show capture capo"

Moreover kindly give me the output of the packet-tracer:

packet-tracer input sherrif tcp 2345 80 detailed

And plz collect the logs for the time of the issue as well, this shoudl be enough to troubleshoot on the ASA.

Hope this helps



Varun Rao

Hi I put the capture commands in and plugged in to sheriff and it started working. Maybe I had be ether cables

Anyway I really appreciate the help consider it solved

Hi David,

That is good, all the best


Varun Rao


as long as the security level on your second inside interface is higher than the outside interface you should be fine

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers