Enabling comms (pix to pix)

echelon360 · ‎08-31-2004

Wondering if you could shed some light on this.

Pix A

interface inside 172.16.25.1 255.255.255.128 sec 100

interface e2 10.1.1.1 255.255.255.224 sec 15

host A 172.16.25.115 (in interface inside)

Pix B

interface e2 10.1.1.2 255.255.x.x sec 10

host B 172.16.25.250

Both Pix are connected via e2

I need to get my host A to host B via another dept's pix.The communication is only set for one way

what i have done

access-list acl_out permit tcp host 172.16.25.115 host 172.16.25.250 eq 3182

nat (inside) 0 access-list acl_out

Is there more i need to do?Also,given the fact that i will not configure PIX B.Is there something more that i need to allow over at PIX B.

(kindly refer to diagram )

scoclayton · ‎08-31-2004

Your side is fine although you can modify your ACL for your Nat 0 ACL statement to this:

access-list acl_out permit ip host 172.16.25.115 host 172.16.25.250

(the Nat 0 ACL does not take into account port information for the translation).

An xlate and permission need to be granted on PIX B (assuming e2 is a lower security interface than the inside interface). Something like this would work:

static (inside,e2) 172.16.25.250 172.16.25.250

access-list in_e2 permit tcp host 172.16.25.115 host 172.16.25.250 eq 3182

Hope this helps.

Scott

echelon360 · ‎09-05-2004

Hi Scott,

thanks once again for the info.Just need further clarification to this.I read that that port information is not taken into account.Does this mean that all ports belonging to 172.16.25.115 are ignored or all ports belonging to 172.16.25.115 will be allowed to pass through.

Correct me if necessary,in the event that i need to connect 172.16.25.115 to 172.16.25.250 using port 3182,it won't go through?(i.e i'll have to go back to static/acl)

thanks once again.