Re: Connect LANs

rmv72 · ‎08-24-2004

Central office and branches connect between through MPLS VPN. For security reasons we want route all traffic from branches through PIX.

At setup step i want allow any traffic from branches (voice,data) passed through PIX. How to better made it?

Should i create

access-list outside_access_in which permit all traffic and map it to outside interface

access-group outside_access_in in interface outside ?

Or maybe another way exist?

nkhawaja · ‎08-29-2004

Hi,

Yes, if you are not sure of the traffic type, then for initial phase,

static (highinterface,lowinterface) x.x.x.x x.x.x.x

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside

thanks

Nadeem

rmv72 · ‎08-29-2004

What do you think about using NAT exemption for that situation?

nkhawaja · ‎08-30-2004

I would still suggest to use static. NAT 0 (exemption) is for one directional traffic.

Thanks

Nadeem

rmv72 · ‎08-30-2004

What do you mean -one directional traffic?

I created NAT 0 between 2 interfaces ( int 1 - inside, int 2-outside) and i can initiate connection from computers from int2-inside interface. It means not one directional traffic.

rmv72 · ‎08-30-2004

sorry, little remark -.... from int2-outside interface

nkhawaja · ‎08-31-2004

The default behavior of NAT 0 is a traffic flow from high security interface to a low security interface , which is unidirectional.

As you already stated, you need another nat0 for your other interface to have bidirectional flow.

You dont need two nat0 statements, if you can serve the purpose by using a static statement

Thanks

Nadeem