topic Re: trying to get 2 inside interfaces to talk to one another in Network Security https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022573#M937262 <HTML><HEAD></HEAD><BODY><P>Thanks, That worked like a CHAMP...</P></BODY></HTML> Tue, 27 May 2008 17:38:18 GMT davistw 2008-05-27T17:38:18Z trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022567#M937255 <P>I am trying to get two inside interfaces on a pix 515E running 6.3 to talk to one another. I have attached a picture of what I am tring to do. One interace has a security level of 100 the other has a security level of 98.. I cant for the life of me get the 98 level interface to talk to the 100 level interface...</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 12:49:29 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022567#M937255 davistw 2019-03-11T12:49:29Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022568#M937256 <HTML><HEAD></HEAD><BODY><P>Hi Tom</P><P></P><P>access-list vlan3_access_in permit 192.168.6.0 255.255.252.0 192.168.5.0 255.255.255.0</P><P>access-group vlan3_access_in in interface vlan3</P><P>static (nativevlan,vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0</P><P></P><P>Please post your config for me to determine correct interface names, if above doesnt work.</P><P>Regards</P></BODY></HTML> Sat, 24 May 2008 23:39:16 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022568#M937256 Alan Huseyin Kayahan 2008-05-24T23:39:16Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022569#M937258 <HTML><HEAD></HEAD><BODY><P>Thanks so much....</P><P>I will give it a try tuesday whan I get into work. Couple of questions though.</P><P>What is the purpose of the weird static command? It doesnt look normal.</P><P>Wont I have to do a nat0 from nativevlan to vlan3?</P></BODY></HTML> Sun, 25 May 2008 11:43:06 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022569#M937258 davistw 2008-05-25T11:43:06Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022570#M937259 <HTML><HEAD></HEAD><BODY><P>"Wont I have to do a nat0 from nativevlan to vlan3?"</P><P> Thats correct, and that weird static command does that exactly :).</P></BODY></HTML> Sun, 25 May 2008 14:17:16 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022570#M937259 Alan Huseyin Kayahan 2008-05-25T14:17:16Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022571#M937260 <HTML><HEAD></HEAD><BODY><P>Thanks bunches...It almost works...</P><P>When I do this I can talk between nativevlan and vlan3 fine. However, my outide nat from vlan3 to outside stops working...</P><P></P><P>Here is the scrubbed pix config..</P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>interface ethernet1 vlan3 logical</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif vlan3 inside_pc_vlan3 security99</P><P>/SNIP pasword,hostname,domain-name,fixup stuff/</P><P>names</P><P>access-list 101 permit ip any any </P><P>access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0 </P><P>/SNIP pager,logging,icmp,mtu stuff/</P><P>ip address outside XXX,YYY.ZZZ.2 255.255.255.0</P><P>ip address inside 192.168.5.254 255.255.255.0</P><P>ip address inside_pc_vlan3 192.168.7.254 255.255.254.0</P><P>/SNIP audit,pdm,arp stuff/</P><P>global (outside) 1 XXX,YYY.ZZZ.20-XXX,YYY.ZZZ.245</P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>nat (inside_pc_vlan3) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) XXX,YYY.ZZZ.250 192.168.5.240 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.251 192.168.5.241 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.252 192.168.5.242 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.249 192.168.5.243 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.248 192.168.5.244 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.247 192.168.5.245 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.246 192.168.5.246 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.19 192.168.5.13 netmask 255.255.255.255 0 0 </P><P>static (inside,outside) XXX,YYY.ZZZ.18 192.168.5.247 netmask 255.255.255.255 0 0 </P><P>static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0 </P><P>access-group 101 in interface outside</P><P>access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3</P><P>route outside 0.0.0.0 0.0.0.0 XXX,YYY.ZZZ.1 1</P><P>/SNIP timeout,aaa,ntp,http,snmp,floodguard,telnet,ssh,console,dhcp,terminal,banner,crypto stuff/</P><P>: end</P><P></P><P>Any thoughts?</P></BODY></HTML> Tue, 27 May 2008 14:18:19 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022571#M937260 davistw 2008-05-27T14:18:19Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022572#M937261 <HTML><HEAD></HEAD><BODY><P>Thats correct. You should permit traffic specifically.</P><P></P><P>for example you want your vlan3 clients to reach internet (www), then add</P><P></P><P>access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq www</P><P>access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq dns</P><P></P><P>For best practise, I strongly recommend you to apply ACLs traffic specific instead any any, so remove access-list 101 permit any any.</P><P></P><P>Regards</P><P></P><P></P></BODY></HTML> Tue, 27 May 2008 14:43:13 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022572#M937261 Alan Huseyin Kayahan 2008-05-27T14:43:13Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022573#M937262 <HTML><HEAD></HEAD><BODY><P>Thanks, That worked like a CHAMP...</P></BODY></HTML> Tue, 27 May 2008 17:38:18 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022573#M937262 davistw 2008-05-27T17:38:18Z Re: trying to get 2 inside interfaces to talk to one another https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022574#M937263 <HTML><HEAD></HEAD><BODY><P>You are welcome Tom <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Tue, 27 May 2008 17:41:54 GMT https://community.cisco.com/t5/network-security/trying-to-get-2-inside-interfaces-to-talk-to-one-another/m-p/1022574#M937263 Alan Huseyin Kayahan 2008-05-27T17:41:54Z