Solved: Re: route b/w 169.254.0.0/16 and 192.168.1.0/24

bws · ‎02-21-2011

Hi all,

my pix 515e firewall has two interfaces below below details:

interface eth0: 192.168.1.1/24

interface eth1: 169.254.0.1/16

My servers in both these different networks are not able to access each other. What sort of configuration i shall have in place to make it work.

sample config provided will be appreciated.

Regards,

bws

PAUL GILBERT ARIAS · ‎02-21-2011

can you add more details about the configuration? A show run will help a lot.

If the traffic comes from an interface with higher security level to an interface with a lower security level all you need is some type of NAT. If you don't want to nat the traffic you can use NO NAT, for example:

nat (inside) 0 192.168.1.0 255.255.255.0

Assuming that is your inside network. If you want to allow traffic from the lower security interface to the higher security interface without NAT you can use NAT EXEMPT or a static NAT doing a self translation of the inside network, for example:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 169.254.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

or

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

and for both examples you need an interface ACL on the lowest security interface to allow the desired traffic, for example:

access-list outside_access_in permit ip 169.254.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-group outside_access_in in interface outside

If you want to do NAT then the configuration will be a little different.

I hope this helps.

View solution in original post

PAUL GILBERT ARIAS · ‎02-21-2011

can you add more details about the configuration? A show run will help a lot.

If the traffic comes from an interface with higher security level to an interface with a lower security level all you need is some type of NAT. If you don't want to nat the traffic you can use NO NAT, for example:

nat (inside) 0 192.168.1.0 255.255.255.0

Assuming that is your inside network. If you want to allow traffic from the lower security interface to the higher security interface without NAT you can use NAT EXEMPT or a static NAT doing a self translation of the inside network, for example:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 169.254.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

or

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

and for both examples you need an interface ACL on the lowest security interface to allow the desired traffic, for example:

access-list outside_access_in permit ip 169.254.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-group outside_access_in in interface outside

If you want to do NAT then the configuration will be a little different.

I hope this helps.

m.kafka · ‎02-22-2011

Hi,

You are using:

interface eth0: 192.168.1.1/24

interface eth1: 169.254.0.1/16

First I recommend to change the adressing, there is plenty of address-space in rfc 1918.

169.254.0.0/16 is reserved for special use (link-local) and should not be routed over any layer-3 device. Doing so might interfere with other concepts and practices. See: http://tools.ietf.org/html//rfc3927#section-2.8 about "link-local packets are local".

Except for that it can be easy like Paul explained with identity nat.

If you don't need nat for any purpose and you have the latest software available for your 515 you can also go for "no nat-control" so you just have to configure "access-list/access-goup" to control your traffic.