03-09-2007 06:50 AM - edited 02-21-2020 01:26 AM
Hi,
I have a need to use one interface on my PIX 525 (version 7.2(2)) as a logical interface so that I can use NAT to reference local non-routable DMZ IP addresses into ospf advertised IP addresses. I?ve connected PIX ethernet 4 into my Cisco 6500 switch slot 12 port 43. I?ve enabled trunking on 12/43 and 12/43 resides in my management domain (VLAN1). My relevant switch and FW config is below.
Issue: Not working: Host 172.31.76.100 attempts to RDP to NAT address 172.31.48.100 but fails. I would like to have confirmation that this config is correct from the community.
Catalyst Switch
Port status is:
12/43 PIX-525-ETH4 connected trunk full 100 10/100/1000
Trunk config is:
clear trunk 12/43 2-239,241-1005,1025-4094
set trunk 12/43 on dot1q 1,240
Trunk status is:
12/43 on dot1q trunking 1
Firewall interface config is:
interface Ethernet4
description Base interface for DMZ translations
speed 100
duplex full
no nameif
security-level 100
no ip address
!
interface Ethernet4.240
vlan 240
nameif VLAN240
security-level 75
ip address 172.30.243.100 255.255.252.0
ACL config is:
access-list VLAN240 remark NAT control into VLAN240 from inside
access-list VLAN240 extended permit ip 172.31.76.0 255.255.255.0 host 172.31.48.100
access-list VLAN240_IN remark Regulate access from VLAN240 into inside
access-list VLAN240_IN extended permit tcp host 172.30.240.226 eq 3389 host 172.30.243.100
access-list VLAN240_IN extended deny ip any any
NAT config is:
global (outside) 30 X.X.X.X netmask 255.255.255.192
global (XXXXXX) 3 interface
global (XXXXXX) 20 interface
global (VLAN240) 50 interface
nat (inside) 0 access-list NONAT
nat (inside) 3 access-list XXX
nat (inside) 20 access-list XXXXXX
nat (inside) 30 access-list WWW
nat (inside) 50 access-list VLAN240
nat (XXXXXX) 0 access-list NONAT-VPN
static (inside,VLAN240) 172.31.48.100 172.30.240.226 netmask 255.255.255.255
access-group VLAN240_IN in interface VLAN240
return route does exist.
03-12-2007 06:23 AM
Hi
Try changing your static statement from
static (inside,VLAN240) 172.31.48.100 172.30.240.226 netmask 255.255.255.255
to
static (VLAN240,inside) 172.31.48.100 172.30.240.226 netmask 255.255.255.255
Also i'm a little unclear what your access-list VLAN240_IN is doing. At the moment it says
allow the host 172.30.240.226 on port 3389 to talk to the pix VLAN240 interface on any port.
This doesn't seem to make much sense. Perhaps i have misunderstood, could you elaborate.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide