08-28-2002 09:31 PM - edited 02-20-2020 10:13 PM
I need to configure pix to allow nms servers (ciscoworks, etc) on net5 to monitor every single network devices on the whole network.
No port filtering restriction between net 5 and the rest of the networks.
It's been awhile since I work on pix firewalls so I'm not really sure whether my configuration will work.
Rough scenario looks like this...
6 interfaces on the pix without NAT
ethernet0(net1): 192.168.1.0/24 (level 0)
ethernet1(net2): 192.168.2.0/24 (level 20)
ethernet2(net3): 192.168.3.0/24 (level 40)
ethernet3(net4): 192.168.4.0/24 (level 60)
ethernet4(net5): 192.168.5.0/24 (level 80)
ethernet5(net6): 192.168.6.0/24 (level 100)
NMS servers residing at net5 needs to monitor every network equipment on all networks. All ports open.
To monitor devices on net6, which has a higher security level,
I would configure something like this:
access-list nms_access_in permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-group nms_access_in in interface net5
static(net6,net5) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 0 0
To monitor devices on networks, which has a lower security level:
access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (net5) 0 access-list allow_all
Will this work? net5 should be able to reach the whole network (all open)
Many thanks for many help....
09-02-2002 10:17 PM
the static to permit nms to net6 should be static (net6, net5)
09-03-2002 03:02 PM
sorry, ignore my last comment. your static is correct but the access list applied on net5 must permit all traffic you wish to pass the interface. so you most likely want something like access-list nms_access_in permit ip 192.168.5.0 255.255.255.0 any. sorry about the confusion.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: