He can use addresses out of the local subnet so long as they are not already in use.

Neil, is ICMP the only thing not working? I'm troubleshooting an issue where ICMP won't work either way but other applications work fine. Does this sound like your issue?

Rik

Thanks for the reply,

My internal network subnet is 192.168.1.x and 4 was the next available subnet to me.

i have been using the pix gui to configure everything and have one access rule to allow the internal network to the 192.168.4.x subnet and another rule allowing the reverse.

I also have a translation rule on the inside 192.168.1.x network to the external ip on the outside interface with pat.

I should also point out that this was setup for us and i have inherited this problem hence my lack of understanding.

Thanks again for the help.

Hi rg,

didn't see your reply till my other had posted.

I can't ping into the network nor are any network apps or network browsing working.

Thanks

Sounds like you may have an access list issue. If possible, please post a scrubbed copy of the config and we can take a look at it.

Rik

I am sorry if this is too much info but i wasn't sure which bits to include/exclude. Also i have had to edit the external IP address info, hope this doesn't cause any probs

PIX Version 6.3(3)

access-list inside_access_in permit ip host Exchange01 any

access-list inside_access_in permit tcp host ICAMAIL any object-group Exch-Out-Services

access-list inside_access_in permit udp object-group LAN-DNS any object-group DNS-Out

access-list inside_access_in permit ip host Unix01 host WWW01

access-list inside_access_in permit ip Salts-LAN-01 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_access_in deny udp any any object-group Broadcast log disable

access-list inside_access_in deny ip any any

access-list outside_access_in permit tcp any host 193.195.* object-group Exch-Inbound-Services

access-list outside_access_in permit tcp any host 193.195.* object-group WWW-In-Services

access-list outside_access_in permit tcp host WebControl host 193.195.* object-group WebControlFTP

access-list outside_access_in permit ip 192.168.4.0 255.255.255.0 193.195.* 255.255.255.0

access-list outside_access_in deny udp any any object-group Broadcast log disable

access-list outside_access_in deny ip any any

access-list DMZ01_access_in permit tcp host WWW01 any object-group WWW-Out-Services

access-list DMZ01_access_in permit ip host WWW01 object-group LAN-DNS_ref

access-list DMZ01_access_in permit ip host WWW01 host Unix01

access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.0 255.255.255.0

access-list outside_cryptomap_dyn_60 permit ip any 192.168.4.0 255.255.255.0

access-list outside_cryptomap_dyn_80 permit ip any 192.168.4.0 255.255.255.0

access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.0 255.255.255.0

access-list outside_cryptomap_dyn_120 permit ip any 192.168.4.0 255.255.255.0

access-list outside_cryptomap_dyn_140 permit ip any 192.168.4.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu DMZ01 1500

ip address outside 193.195.* 255.255.255.248

ip address inside 192.168.1.100 255.255.255.0

ip address DMZ01 10.10.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-POOL-01 192.168.4.1-192.168.4.254

pdm location ICM-Support 255.255.255.255 outside

pdm location Exchange01 255.255.255.255 inside

pdm location Unix01 255.255.255.255 inside

pdm location LAN-DNS-01 255.255.255.255 inside

pdm location WWW01 255.255.255.255 DMZ01

pdm location ICAMAIL 255.255.255.255 inside

pdm location WebControl 255.255.255.255 outside

pdm group LAN-DNS inside

pdm group LAN-DNS_ref DMZ01 reference LAN-DNS

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 Salts-LAN-01 255.255.255.0 0 0

static (inside,outside) 193.195.*

Exchange01 netmask 255.255.255.255 0 0

static (DMZ01,outside) 193.195.* WWW01 netmask 255.255.255.255 0 0

static (inside,DMZ01) Exchange01 Exchange01 netmask 255.255.255.255 0 0

static (inside,DMZ01) LAN-DNS-01 LAN-DNS-01 netmask 255.255.255.255 0 0

static (inside,DMZ01) Unix01 Unix01 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group DMZ01_access_in in interface DMZ01

route outside 0.0.0.0 0.0.0.0 193.195.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http ICM-Support 255.255.255.255 outside

http Salts-LAN-01 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

Hi,

I do not see your Crypto config here, but it looks like you are missing the no nat statement. You need to tell the PIX not to NAT packets going from the inside to the outside if they are to be encrypted.

nat (inside) 0 access-list no-nat

access-list no-nat permit Salts-LAN-01 192.168.4.0 255.255.255.0

I hope this helps.