cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
743
Views
0
Helpful
2
Replies

NAT 0 with pix

zeremy
Level 1
Level 1

I need to configure pix to allow nms servers (ciscoworks, etc) on net5 to monitor every single network devices on the whole network.

No port filtering restriction between net 5 and the rest of the networks.

It's been awhile since I work on pix firewalls so I'm not really sure whether my configuration will work.

Rough scenario looks like this...

6 interfaces on the pix without NAT

ethernet0(net1): 192.168.1.0/24 (level 0)

ethernet1(net2): 192.168.2.0/24 (level 20)

ethernet2(net3): 192.168.3.0/24 (level 40)

ethernet3(net4): 192.168.4.0/24 (level 60)

ethernet4(net5): 192.168.5.0/24 (level 80)

ethernet5(net6): 192.168.6.0/24 (level 100)

NMS servers residing at net5 needs to monitor every network equipment on all networks. All ports open.

To monitor devices on net6, which has a higher security level,

I would configure something like this:

access-list nms_access_in permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

access-group nms_access_in in interface net5

static(net6,net5) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 0 0

To monitor devices on networks, which has a lower security level:

access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list allow_all permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (net5) 0 access-list allow_all

Will this work? net5 should be able to reach the whole network (all open)

Many thanks for many help....

2 Replies 2

pgolding
Level 1
Level 1

the static to permit nms to net6 should be static (net6, net5) netmask x.x.x.x.

pgolding
Level 1
Level 1

sorry, ignore my last comment. your static is correct but the access list applied on net5 must permit all traffic you wish to pass the interface. so you most likely want something like access-list nms_access_in permit ip 192.168.5.0 255.255.255.0 any. sorry about the confusion.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: