Solved: Re: trying to get 2 inside interfaces to talk to one another

davistw · ‎05-24-2008

I am trying to get two inside interfaces on a pix 515E running 6.3 to talk to one another. I have attached a picture of what I am tring to do. One interace has a security level of 100 the other has a security level of 98.. I cant for the life of me get the 98 level interface to talk to the 100 level interface...

Alan Huseyin Kayahan · ‎05-24-2008

Hi Tom

access-list vlan3_access_in permit 192.168.6.0 255.255.252.0 192.168.5.0 255.255.255.0

access-group vlan3_access_in in interface vlan3

static (nativevlan,vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Please post your config for me to determine correct interface names, if above doesnt work.

Regards

View solution in original post

Alan Huseyin Kayahan · ‎05-27-2008

Thats correct. You should permit traffic specifically.

for example you want your vlan3 clients to reach internet (www), then add

access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq www

access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq dns

For best practise, I strongly recommend you to apply ACLs traffic specific instead any any, so remove access-list 101 permit any any.

Regards

View solution in original post

Alan Huseyin Kayahan · ‎05-24-2008

Hi Tom

access-list vlan3_access_in permit 192.168.6.0 255.255.252.0 192.168.5.0 255.255.255.0

access-group vlan3_access_in in interface vlan3

static (nativevlan,vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Please post your config for me to determine correct interface names, if above doesnt work.

Regards

davistw · ‎05-25-2008

Thanks so much....

I will give it a try tuesday whan I get into work. Couple of questions though.

What is the purpose of the weird static command? It doesnt look normal.

Wont I have to do a nat0 from nativevlan to vlan3?

Alan Huseyin Kayahan · ‎05-25-2008

"Wont I have to do a nat0 from nativevlan to vlan3?"

Thats correct, and that weird static command does that exactly :).

davistw · ‎05-27-2008

Thanks bunches...It almost works...

When I do this I can talk between nativevlan and vlan3 fine. However, my outide nat from vlan3 to outside stops working...

Here is the scrubbed pix config..

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 inside_pc_vlan3 security99

/SNIP pasword,hostname,domain-name,fixup stuff/

names

access-list 101 permit ip any any

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

/SNIP pager,logging,icmp,mtu stuff/

ip address outside XXX,YYY.ZZZ.2 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0

ip address inside_pc_vlan3 192.168.7.254 255.255.254.0

/SNIP audit,pdm,arp stuff/

global (outside) 1 XXX,YYY.ZZZ.20-XXX,YYY.ZZZ.245

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside_pc_vlan3) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) XXX,YYY.ZZZ.250 192.168.5.240 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.251 192.168.5.241 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.252 192.168.5.242 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.249 192.168.5.243 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.248 192.168.5.244 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.247 192.168.5.245 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.246 192.168.5.246 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.19 192.168.5.13 netmask 255.255.255.255 0 0

static (inside,outside) XXX,YYY.ZZZ.18 192.168.5.247 netmask 255.255.255.255 0 0

static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3

route outside 0.0.0.0 0.0.0.0 XXX,YYY.ZZZ.1 1

/SNIP timeout,aaa,ntp,http,snmp,floodguard,telnet,ssh,console,dhcp,terminal,banner,crypto stuff/

: end

Any thoughts?

Alan Huseyin Kayahan · ‎05-27-2008

Thats correct. You should permit traffic specifically.

for example you want your vlan3 clients to reach internet (www), then add

access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq www

access-list inside_pc_vlan3_access_in permit tcp 192.168.6.0 255.255.254.0 any eq dns

For best practise, I strongly recommend you to apply ACLs traffic specific instead any any, so remove access-list 101 permit any any.

Regards

davistw · ‎05-27-2008

Thanks, That worked like a CHAMP...

Alan Huseyin Kayahan · ‎05-27-2008

You are welcome Tom :)