08-23-2005 11:40 PM - edited 03-02-2019 11:47 PM
Hi,
Let me explain my Networks:
I have HA cisco pix 515E with Public outside interface and private inside interface. One interface I'm using for state failover.
My local lan in 10.10.8 series.
Now I have to connect the one more extra lan(from dirrent departmenat) lan (172.15).
My question is can I connect PIX free interface to the some other Cisco 2950 switch and this swtich not connected to my production switch?
[1] How do I access lan 172 via Pix free interface
[2] How the routing to be done on pix
[3} do I need to allow the 172 traffic to my production 10.10.8 lan.
All above I'm doing as I would like to avoid PIX to router tunnal as second LAN(which have public router)next to my rack
Sorry for the bad english...
regards
Arvind
08-24-2005 12:34 AM
Hi,
With suggest that your new zone's name is inside2 and has lower security than inside (for example security90) pls see the following :
first of all you should disable NAT between these two zones , it means "inside" and "inside2"
static (inside,inside2) 10.10.8.x 10.10.8.x netmask 255.255.255.0
it prevents translation between inside and inside2
it creates a translation from 10.10.8.x to 10.10.8.x
then you should access from inside2 to inside because inside2 has lower security than inside :
access-list acl2 permit ip 172.15.x.x 255.255.0.0 10.10.8 255.255.255.x
access-group acl2 in interface inside2
as you know you should assign one of new LAN ip address to PIX new zone (inside2) as below :
ip address inside2 172.15.x.x 255.255..0.0
you don't need define any route because two LANs are connected to PIX and the PIX has connected route.
I hope it was useful.
Regards,
Mehrdad
08-24-2005 12:58 AM
Do I need to give NAT (inside2) 0 172.168 command..?
or static (inside,inside2) 10.10.8.x 10.10.8.x netmask 255.255.255.0
08-24-2005 01:16 AM
no you don't need
also be aware you can disable NAT on the PIX with NAT 0 so in your situation :
nat(inside) 0 10.10.8.0 255.255.255.0
08-24-2005 03:03 AM
If I'll give NAT 0to 10.10.8.0 then my al production server will loose public IP.
I think I need to assign a ACL on that interface and then do the NAT 0 on that ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide