Multiple Interface Pix w/o nat

caseman · ‎06-09-2004

I'm having an issue configuring a 515e and I'm hoping some can help me out.

The pix in question has 5(U/R lic) interfaces. Four are connected to different subnets and one points to the edge router. Communication between the four internal subnets is controlled by access-lists. As the networks are internal I don't want to use NAT (the edge router has a nat pool for internet access).

I guess my question is can I enable communications without using a nat command. So far I can not get from one subnet to the other (or to the outside using the default route for that matter). All the config docs I have found have the nat commands as part of the config routine.

mostiguy · ‎06-09-2004

what does your config look like? you will need nat 0 commands to disable nat

caseman · ‎06-10-2004

here is a quick copy ofthe config. I've dropped all the other interfaces and deleted the service groups, etc for easy trouble shooting. The only objects in use right now are the inside and outside interfaces, with only the implicit "allow all" rule being active.

>>>>>>>

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

access-list inside_outbound_nat0_acl permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 172.16.192.224 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

>>>>>>>>

Machines on the internal interface can ping that interface, and the outside interface can ping the next hop (router ip 168.192.1.1), but inside machines can't get across the pix to the router. I've tried it with and without the nat exemptions.

caseman · ‎06-10-2004

Ok, nevermind, I figured it out. Thanks for the nat 0 help