NAT/Route question

Answered Question

Can anyone help me out on this:

I'm used to setting up PIX's for internet usage either with Static NAT's, Dynamic NAT's or both with a router between the networks.

What I want to do is segment 2 private networks with a 515E, but I can't seem to get my head around not NAT'ing it and just routing between the 2 then controlling with a ACL.

example: 192.168.1.0/24 <-----> PIX <-----> 172.16.1.0/24

ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

route outside 192.168.1.0 255.255.255.0 172.16.1.254 1

route inside 172.16.1.0 255.255.255.0 192.168.1.254 1

access-list local_A_in permit tcp host 172.16.1.1 host 192.168.1.1 eq www

access-group local_A_in in interface outside

access-list local_B_in permit tcp host 192.168.1.2 host 172.16.1.2 eq https

access-group local_B_in in interface inside

Where am I going wrong?

Thanks

--Mark

I have this problem too.
0 votes
Correct Answer by dominic.caron about 9 years 8 months ago

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dominic.caron Thu, 05/24/2007 - 04:19

If your goal is not to do any NAT between those network, simply do a nat 0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 no-nat

nat (outside) 0 no-nat

thanks for your help Dominic.

would I still leave in the static routes or could I use the ones the PIX finds?

additionally, if I where to add an additional interface to the PIX, would look like this:

ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip address dmz 10.10.10.254 255.255.255.0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 no-nat

nat (outside) 0 no-nat

nat (dmz) 0 no-nat

thanks

--Mark

dominic.caron Thu, 05/24/2007 - 05:13

Your routing configuration is wrong, remove those static routes.

How is your network built, do you have a router in each subnet?

Correct Answer
dominic.caron Thu, 05/24/2007 - 07:48

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

Actions

This Discussion