Pix to Pix Interface, nat 0 traffic? [7:1429]
Ok, need some help talking to group of hosts on a lower security interface from a higher one. For example. I have a fileserver on 192.168.200.0/24 on pix interface 3 security100. I want to be able to speak at will to another fileserver 192.168.100.0/24 on pix interface 2 security 90. The name of int 3 security 100 is inside, and the name of the int 2 security 90 is companynet. I setup an access list, used it with nat (inside) 0. The access list gets hits, but the I can't ping thru to the lower security subnet. What am I doing wrong? nameif ethernet2 comanynet security90 nameif ethernet3 inside security100 access-list inside2comany permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 nat (inside) 0 access-list inside2comany route inside 192.168.200.0 255.255.255.0 192.168.100.1 conduit permit icmp any any Thanks in advance, Michael Snyder Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1429&t=1429 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix to Pix Interface, nat 0 traffic? [7:1429]
Unless you forgot to paste it, you have failed to apply inside2comany to the comanynet interface as incoming. I also suggest having two different ACLs, one I usually call "NoNAT" and one named for the actual interfaces I mean for it to apply to (in your case, inside2comany). Here's what you need: access-group inside2comany in interface comanynet The route statement is incorrect if 192.168.200/24 is connected to the inside (why would you tell the PIX to get to 192.168.200/24 that you have to go through 192.168.100/24? They're on two different interfaces, correct?). My suggestion would be instead to use (192.168.200.5 is the ftp server that 192.168.100.15 needs to get to. In other words, lock it down tight to not just the source/destination ip, but service as well. You can keep the NoNAT simple and easy, but keep security secure): access-list Inside2ComanyNoNAT permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 nat (inside) 0 access-list Inside2ComanyNoNAT access-list Inside2ComanyPermission permit tcp 192.168.200.5 255.255.255.255 eq 21 192.168.100.15 255.255.255.15 access-group Inside2ComanyPermission in interface comanynet -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ ""Michael Snyder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok, need some help talking to group of hosts on a lower security interface > from a higher one. > > For example. > > I have a fileserver on 192.168.200.0/24 on pix interface 3 security100. I > want to be able to speak at will to another fileserver 192.168.100.0/24 on > pix interface 2 security 90. The name of int 3 security 100 is inside, and > the name of the int 2 security 90 is companynet. > > I setup an access list, used it with nat (inside) 0. The access list gets > hits, but the I can't ping thru to the lower security subnet. What am I > doing wrong? > > nameif ethernet2 comanynet security90 > nameif ethernet3 inside security100 > > access-list inside2comany permit ip 192.168.200.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > > nat (inside) 0 access-list inside2comany > > route inside 192.168.200.0 255.255.255.0 192.168.100.1 > > conduit permit icmp any any > > > > Thanks in advance, > > Michael Snyder > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1463&t=1429 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix to Pix Interface, nat 0 traffic? [7:1429]
Unless you forgot to paste it, you have failed to apply inside2comany to the comanynet interface as incoming. I also suggest having two different ACLs, one I usually call "NoNAT" and one named for the actual interfaces I mean for it to apply to (in your case, inside2comany). Here's what you need: access-group inside2comany in interface comanynet The route statement is incorrect if 192.168.200/24 is connected to the inside (why would you tell the PIX to get to 192.168.200/24 that you have to go through 192.168.100/24? They're on two different interfaces, correct?). My suggestion would be instead to use (192.168.200.5 is the ftp server that 192.168.100.15 needs to get to. In other words, lock it down tight to not just the source/destination ip, but service as well. You can keep the NoNAT simple and easy, but keep security secure): access-list InsideNoNAT permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 nat (inside) 0 access-list InsideNoNAT access-list Inside2ComanyPermission permit tcp 192.168.200.5 255.255.255.255 eq 21 192.168.100.15 255.255.255.15 access-group Inside2ComanyPermission in interface comanynet -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ ""Michael Snyder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok, need some help talking to group of hosts on a lower security interface > from a higher one. > > For example. > > I have a fileserver on 192.168.200.0/24 on pix interface 3 security100. I > want to be able to speak at will to another fileserver 192.168.100.0/24 on > pix interface 2 security 90. The name of int 3 security 100 is inside, and > the name of the int 2 security 90 is companynet. > > I setup an access list, used it with nat (inside) 0. The access list gets > hits, but the I can't ping thru to the lower security subnet. What am I > doing wrong? > > nameif ethernet2 comanynet security90 > nameif ethernet3 inside security100 > > access-list inside2comany permit ip 192.168.200.0 255.255.255.0 > 192.168.100.0 255.255.255.0 > > nat (inside) 0 access-list inside2comany > > route inside 192.168.200.0 255.255.255.0 192.168.100.1 > > conduit permit icmp any any > > > > Thanks in advance, > > Michael Snyder > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1464&t=1429 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]