https://community.cisco.com/t5/network-security/nat-route-question/m-p/782934#M1004129 <HTML><HEAD></HEAD><BODY><P>If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.</P></BODY></HTML> Thu, 24 May 2007 14:48:25 GMT dominic.caron 2007-05-24T14:48:25Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782929#M1004124 <P>Can anyone help me out on this:</P><P>I'm used to setting up PIX's for internet usage either with Static NAT's, Dynamic NAT's or both with a router between the networks.</P><P>What I want to do is segment 2 private networks with a 515E, but I can't seem to get my head around not NAT'ing it and just routing between the 2 then controlling with a ACL.</P><P></P><P>example: 192.168.1.0/24 &lt;-----&gt; PIX &lt;-----&gt; 172.16.1.0/24</P><P></P><P>ip address outside 172.16.1.254 255.255.255.0</P><P>ip address inside 192.168.1.254 255.255.255.0</P><P></P><P>route outside 192.168.1.0 255.255.255.0 172.16.1.254 1</P><P>route inside 172.16.1.0 255.255.255.0 192.168.1.254 1</P><P></P><P>access-list local_A_in permit tcp host 172.16.1.1 host 192.168.1.1 eq www</P><P>access-group local_A_in in interface outside</P><P></P><P>access-list local_B_in permit tcp host 192.168.1.2 host 172.16.1.2 eq https</P><P>access-group local_B_in in interface inside</P><P></P><P>Where am I going wrong?</P><P></P><P>Thanks</P><P>--Mark</P> Mon, 11 Mar 2019 10:19:47 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782929#M1004124 mark.johnson 2019-03-11T10:19:47Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782930#M1004125 <HTML><HEAD></HEAD><BODY><P>If your goal is not to do any NAT between those network, simply do a nat 0</P><P></P><P></P><P>access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 </P><P>nat (inside) 0 no-nat</P><P>nat (outside) 0 no-nat</P></BODY></HTML> Thu, 24 May 2007 11:19:25 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782930#M1004125 dominic.caron 2007-05-24T11:19:25Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782931#M1004126 <HTML><HEAD></HEAD><BODY><P>thanks for your help Dominic.</P><P></P><P>would I still leave in the static routes or could I use the ones the PIX finds?</P><P></P><P>additionally, if I where to add an additional interface to the PIX, would look like this:</P><P></P><P>ip address outside 172.16.1.254 255.255.255.0 </P><P>ip address inside 192.168.1.254 255.255.255.0</P><P>ip address dmz 10.10.10.254 255.255.255.0</P><P></P><P>access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 </P><P>access-list no-nat permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0 </P><P>access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 </P><P>access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 </P><P>access-list no-nat permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0 </P><P>access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 </P><P></P><P>nat (inside) 0 no-nat </P><P>nat (outside) 0 no-nat</P><P>nat (dmz) 0 no-nat</P><P></P><P>thanks</P><P>--Mark</P></BODY></HTML> Thu, 24 May 2007 11:40:15 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782931#M1004126 mark.johnson 2007-05-24T11:40:15Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782932#M1004127 <HTML><HEAD></HEAD><BODY><P>Your routing configuration is wrong, remove those static routes.</P><P></P><P>How is your network built, do you have a router in each subnet? </P></BODY></HTML> Thu, 24 May 2007 12:13:53 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782932#M1004127 dominic.caron 2007-05-24T12:13:53Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782933#M1004128 <HTML><HEAD></HEAD><BODY><P>understood on the routes.</P><P></P><P>no router in each subnet. I want to segment the 2 networks with the firewall, but I don't want to put a router in - if that makes sense?</P></BODY></HTML> Thu, 24 May 2007 12:37:44 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782933#M1004128 mark.johnson 2007-05-24T12:37:44Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782934#M1004129 <HTML><HEAD></HEAD><BODY><P>If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.</P></BODY></HTML> Thu, 24 May 2007 14:48:25 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782934#M1004129 dominic.caron 2007-05-24T14:48:25Z https://community.cisco.com/t5/network-security/nat-route-question/m-p/782935#M1004130 <HTML><HEAD></HEAD><BODY><P>Thanks for all the help Dominic</P><P></P><P>cheers</P><P>--Mark</P></BODY></HTML> Thu, 24 May 2007 15:37:57 GMT https://community.cisco.com/t5/network-security/nat-route-question/m-p/782935#M1004130 mark.johnson 2007-05-24T15:37:57Z