I posted this in the VPN Section some days ago. Maybe anyone here can help?
We are terminating an VPN (for CISCO VPN Client) on PIX515.
The Adresspool for the VPN is part of the ethernet1 (inside) pool and is not translated "nat (inside) 0 ...". The inside is configured for proxyarp. proxyarp is disabled for the outside interface.
Both Interfaces are on the same Broadcast-Network but with different IP Networks.
Now the problem: The PIX sends the data from the inside-Interface. But when it gets a arp-Request (for the VPN-Addresses) it answers on the outside interface and with the MAC Adress of the outside interface. As a result all packets to the VPN Clients are send to the outside-Interface where PIX refuses them "no xlate".
How can we avoid that PIX 515 uses proxyarp on the outside interface (even though it is disabled!)
Best Regards
Sebastian Koerner