05-24-2007 03:10 AM - edited 03-11-2019 03:19 AM
Can anyone help me out on this:
I'm used to setting up PIX's for internet usage either with Static NAT's, Dynamic NAT's or both with a router between the networks.
What I want to do is segment 2 private networks with a 515E, but I can't seem to get my head around not NAT'ing it and just routing between the 2 then controlling with a ACL.
example: 192.168.1.0/24 <-----> PIX <-----> 172.16.1.0/24
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
route outside 192.168.1.0 255.255.255.0 172.16.1.254 1
route inside 172.16.1.0 255.255.255.0 192.168.1.254 1
access-list local_A_in permit tcp host 172.16.1.1 host 192.168.1.1 eq www
access-group local_A_in in interface outside
access-list local_B_in permit tcp host 192.168.1.2 host 172.16.1.2 eq https
access-group local_B_in in interface inside
Where am I going wrong?
Thanks
--Mark
Solved! Go to Solution.
05-24-2007 07:48 AM
If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.
05-24-2007 04:19 AM
If your goal is not to do any NAT between those network, simply do a nat 0
access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 no-nat
nat (outside) 0 no-nat
05-24-2007 04:40 AM
thanks for your help Dominic.
would I still leave in the static routes or could I use the ones the PIX finds?
additionally, if I where to add an additional interface to the PIX, would look like this:
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 10.10.10.254 255.255.255.0
access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 no-nat
nat (outside) 0 no-nat
nat (dmz) 0 no-nat
thanks
--Mark
05-24-2007 05:13 AM
Your routing configuration is wrong, remove those static routes.
How is your network built, do you have a router in each subnet?
05-24-2007 05:37 AM
understood on the routes.
no router in each subnet. I want to segment the 2 networks with the firewall, but I don't want to put a router in - if that makes sense?
05-24-2007 07:48 AM
If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.
05-24-2007 08:37 AM
Thanks for all the help Dominic
cheers
--Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide