Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
2
Replies

pix unable to reroute packets through the outside

d.ferroni
Level 1
Level 1

‎05-31-2004 05:56 PM - edited ‎02-20-2020 11:25 PM

Hi community,

We configured our 515 PIX to accept VPN Clients (3.6.6 and above) connections, and we do not have any problem to get to the 'inside' and to browse the LAN. Our problem is to get out through the outside with an IP address of the VPN local pool.

Since we have many important network devices just configured to be accessible only by a specific network, and didn't want to modify the access-list on every one, we decided to create a VPN ip local POOl on the PIX, splitting the pure class C private network configured on the inside of it in two x.x.x.x/25, where the 2nd half is for our VPN Clients. As we 'land' on the PIX and receive an IP address from the local pool, we can go everywhere on every immediatly connected network, but are unable to get out through the outside to reach our network devices with private addressing.

This are the logs:

106011: Deny inbound (No xlate) icmp src outside:10.174.190.130 dst

outside:10.174.173.2 (type 8, code 0)

106011: Deny inbound (No xlate) tcp src outside:10.174.190.130/1057 dst

outside:10.174.173.2/23

We sent this output to the Cisco Output interpreter and as we knew, it stated that the pix is unable to reroute on the same interface a packet wich has same source and destination interface, thinking of it as a security breach. We also noticed that a solution could be a Proxy for various applications or the 'split tunneling' implementation.

Does anybody know what else could we do?

Thank a lot in advance

Dario Ferroni

0 Helpful
2 Replies 2

milan.kulik
Level 10
Level 10

‎06-01-2004 02:08 AM

Hi,

what about involving a third interface (VLAN) to route through it to the restricted targets?

Regards,

Milan

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee

‎06-01-2004 07:30 AM

It looks like the error messages your are receiving may be due to the ACL that defines "interesting traffic" for the VPN users. There's a good chance that the NAT 0 statement does not include the subnet of your important network devices.

Could you consider posting part of your configuration relating to VPN so we can look through it to assist you further?

thanks

peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card