cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
1
Replies

PIX 535 Help

kareem.afifi
Level 1
Level 1

Hello,

Not much firewall experience so looking for some assistance. I have Pix 535 running 8.0 in single context mode. I created Multiple sub interfaces for my guest users. Each interface is a separate subnet with a security interface level of 90. I also have a sub interface with a higher security of 95 which is a management interface/subnet where my web filtering server sits.

The way it works is all the traffic comes into a switch where they are trunked to the firewall. I have a TAP setup on the interface to the firewall that inspects traffic and sends it to the URL filter. I have a separate trunk port on the same switch to the web filter server itself. The webfilter see's the traffic coming from the tap and attempts to send the block page via the trunk port but it cannot reach the device on the other interfaces at all. I have an ACL setup on the inside of the management sub interface to allow IP traffic from the URL filter to all of my subnets where guest access resides.

any ideas? Not doing any NAT'ing internally only a global PAT on the outside. seems like I can't get the interfaces to talk to each other. So if i'm on 1 subnet I can't communicate with the other subnet which is OK. I really want the mgment subnet to be able to talk to all of the other subnets.

Thanks,

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure static nat to itself for it to work, ie:

eg: management network is 192.168.1.0/24, and is named mgmt (security level 95), and other interface is called dmz (security level 90):

static (mgmt,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

That should resolve your issue.

Review Cisco Networking for a $25 gift card