08-24-2004 05:29 AM - edited 03-09-2019 08:34 AM
Central office and branches connect between through MPLS VPN. For security reasons we want route all traffic from branches through PIX.
At setup step i want allow any traffic from branches (voice,data) passed through PIX. How to better made it?
Should i create
access-list outside_access_in which permit all traffic and map it to outside interface
access-group outside_access_in in interface outside ?
Or maybe another way exist?
08-29-2004 08:04 PM
Hi,
Yes, if you are not sure of the traffic type, then for initial phase,
static (highinterface,lowinterface) x.x.x.x x.x.x.x
access-list outside_access_in permit ip any any
access-group outside_access_in in interface outside
thanks
Nadeem
08-29-2004 09:18 PM
What do you think about using NAT exemption for that situation?
08-30-2004 08:20 AM
I would still suggest to use static. NAT 0 (exemption) is for one directional traffic.
Thanks
Nadeem
08-30-2004 09:04 PM
What do you mean -one directional traffic?
I created NAT 0 between 2 interfaces ( int 1 - inside, int 2-outside) and i can initiate connection from computers from int2-inside interface. It means not one directional traffic.
08-30-2004 09:06 PM
sorry, little remark -.... from int2-outside interface
08-31-2004 10:18 AM
The default behavior of NAT 0 is a traffic flow from high security interface to a low security interface , which is unidirectional.
As you already stated, you need another nat0 for your other interface to have bidirectional flow.
You dont need two nat0 statements, if you can serve the purpose by using a static statement
Thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide