PIX 515 with 2 internal interfaces

gdeangelis · ‎02-25-2006

I have a pix 515 6.3. Currently have client vpns etc. with no problems. I would like to use my eth4 interface and a separate subnet for vpn clients to hand off to an internal router. I specified a access list with nat (eth4) 0 access-list for this ip range. My internal subnet is 10.1/16 and new client range is 10.80/16. My clients can authenticate and ping the internal router, but all other traffic has no xlate when trying to get to my 10.1 network. Any assistance would be appreciated.

riteshsynchro · ‎02-25-2006

I apologize if the following is too basic. I don't know your level of expertise.

Do the nodes on the 10.1.0.0/16 network have a route back to 10.80.0.0/16?

For example, consider the inside route from the PIX is to a router whose IP is 10.1.1.1. There is a statement on 10.1.1.1 to route the 10.80.0.0/16 subnet to the PIX. This allows you to ping the router. Now, continuing the example, you have a node with IP 10.1.2.50/16 and it has a gw of 10.1.2.1/16. The 10.1.2.1/16 router does not have a route back to PIX, or to the upstream router, and 10.80.0.0/16 hosts will not be able to ping 10.1.2.50.

gdeangelis · ‎02-26-2006

Routing doesn't seem to be the problem. I have the 2nd inside interface on a vlan port on a 6500 w/msfc. All internal hosts can get to the the 10.80 w/no problem. The pix is dropping the traffic w/ (no xlate 10.80.x.x to 10.255.255.255), but I can't nail down why.

riteshsynchro · ‎02-26-2006

I'm not sure what you mean by no xlate. Since you are doing a nat 0 on the VPN traffic, no translations are performed, and there wouldn't be any corresponding xlate entries...right?

From what I understand about Cisco firewalls, an xlate entry is only created when an address translation is needed. I think you not seeing xlates on VPN traffic is normal for a PIX.

gdeangelis · ‎02-27-2006

In looking at my syslog, all traffic other than pings generate a no xlate error.