 
					
				
		
09-14-2005 12:38 PM - edited 02-21-2020 12:23 AM
I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I am having difficulty allowing traffic from the 10.198.16.0 network to traverse the PIX into 10.12.60.0. I am specifically trying to enable access to a server with an IP of 10.12.60.2.
I'm attaching my config. Any help would be greatly appreciated!
Solved! Go to Solution.
09-14-2005 04:41 PM
OK, so the inside interface has a security-level of 100, and WTS has a security-level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a nat/global pair (or a static) between the two interfaces so that the PIX knows how to NAT the traffic between the two interfaces (remember, the PIX likes to do NAT).
You have this in your config:
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
which says any traffic on the inside interface with an IP address of 10.x.x.x will be NAT'd, but you then need a global for the WTS interface to define what those IP addresses will be NAT'd to.
Adding:
global (WTS) 1 interface
will PAT all the inside addresses to the IP address of the WTS interface and allow traffic to flow between the interfaces. If you would prefer the hosts on the inside interface to appear as their own IP address when on the WTS network then you can use a static command and NAT the addresses to themselves, effectively doing NAT but not actually changing the addresses:
static (inside,WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0
Hope that helps.
09-14-2005 04:41 PM
OK, so the inside interface has a security-level of 100, and WTS has a security-level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a nat/global pair (or a static) between the two interfaces so that the PIX knows how to NAT the traffic between the two interfaces (remember, the PIX likes to do NAT).
You have this in your config:
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
which says any traffic on the inside interface with an IP address of 10.x.x.x will be NAT'd, but you then need a global for the WTS interface to define what those IP addresses will be NAT'd to.
Adding:
global (WTS) 1 interface
will PAT all the inside addresses to the IP address of the WTS interface and allow traffic to flow between the interfaces. If you would prefer the hosts on the inside interface to appear as their own IP address when on the WTS network then you can use a static command and NAT the addresses to themselves, effectively doing NAT but not actually changing the addresses:
static (inside,WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0
Hope that helps.
09-15-2005 06:06 AM
Thanks for the info. I implemented the global (WTS) 1 interface command and was able to ping successfully to a server on the WTS network. However, I wasn't able to traceroute. It would stop at the pix. Is this to be expected?
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide