How to connect two PIX's?

aquental · ‎10-13-2006

Machine A

192.168.1.11(real ip) 10.15.10.11 (nat ip)

|

(outside)192.168.1.25

PIX 1

(inside)10.15.10.25

|

Router------------------ Machine C 10.1.57.23 (real IP)

|

(inside)10.3.10.25

PIX 2

(outside)192.168.1.25

|

Machine B 192.168.1.11(real ip)10.3.10.11 (nat ip)

PIX 1

access-list acl_in permit ip host 10.1.57.23 10.15.10.0 255.255.255.0

access-list acl_in permit ip 10.3.10.0 255.255.255.0 10.15.10.0 255.255.255.0

access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.3.10.0 255.255.255.0

ip address outside 192.168.1.25 255.255.255.0

ip address inside 10.15.10.25 255.255.0.0

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (outside,inside) 10.15.10.11 192.168.1.11 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

PIX 2

access-list acl_in permit ip host 10.1.57.23 10.3.10.0 255.255.255.0

access-list acl_in permit ip 10.15.10.0 255.255.255.0 10.3.10.0 255.255.255.0

access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.15.10.0 255.255.255.0

ip address outside 192.168.1.25 255.255.255.0

ip address inside 10.3.10.25 255.255.0.0

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (outside,inside) 10.3.10.11 192.168.1.11 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

Above is a small "drawing" to try to illustrate my setup. Also above are what I think is the relevant PIX configs. The purpose of these 2 firewalls is to protect machines on the 192.168.1.x network from machines on the 10.x.x.x network and vice versa. Subnet masks for 192 machines is 255.255.255.0 and for the 10 network is 255.255.0.0.

Right now, I am able to connect to both machine A and machine B from machine C using the natted IP addresses. The problem I'm having, is that when I try to establish a connection from machine A to machine B I get a syslog error message from PIX 1 that reads "no translation group found for tcp src outside:192.168.1.11 dst inside:10.3.10.11"

I'm a little confused at this point. Do I need to add some sort of global command for the inside interfaces? and a nat for the outside? I will need both Machine A to be able to talk to machine B, and vice versa. Any help is greatly appreciated.

oabduo983 · ‎10-13-2006

Hi,

I think it will save you a lot of headache if you swop the security levels of each interface of both PIXs... i.e. swop the interface. Interface Outside faces the router of each side of the PIXs... then you can let machine A talk to machine B by typing static (inside,outside) which is the proper way of doing the static translation... also make sure your route statements are reaching the translated subnet (i.e. the outside subnet)...

I hope this helps!

aquental · ‎10-16-2006

Thanks. It does require me visiting the other sites. I will let you know if it works. Makes sense though.

cdusio · ‎10-13-2006

This config is a bit confusing.

If you are trying to get to 10.3.10.11 from the outside you need

static(inside,outside)10.3.10.11 192.168.1.1 netmask 255.255.255.255 0 0

Your static is backwards on pix 2..