NAT/Route question

Answered Question

Can anyone help me out on this:

I'm used to setting up PIX's for internet usage either with Static NAT's, Dynamic NAT's or both with a router between the networks.

What I want to do is segment 2 private networks with a 515E, but I can't seem to get my head around not NAT'ing it and just routing between the 2 then controlling with a ACL.


example: 192.168.1.0/24 <-----> PIX <-----> 172.16.1.0/24


ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0


route outside 192.168.1.0 255.255.255.0 172.16.1.254 1

route inside 172.16.1.0 255.255.255.0 192.168.1.254 1


access-list local_A_in permit tcp host 172.16.1.1 host 192.168.1.1 eq www

access-group local_A_in in interface outside


access-list local_B_in permit tcp host 192.168.1.2 host 172.16.1.2 eq https

access-group local_B_in in interface inside


Where am I going wrong?


Thanks

--Mark

Correct Answer by dominic.caron about 10 years 3 days ago

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dominic.caron Thu, 05/24/2007 - 04:19
User Badges:
  • Silver, 250 points or more

If your goal is not to do any NAT between those network, simply do a nat 0



access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 no-nat

nat (outside) 0 no-nat

thanks for your help Dominic.


would I still leave in the static routes or could I use the ones the PIX finds?


additionally, if I where to add an additional interface to the PIX, would look like this:


ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip address dmz 10.10.10.254 255.255.255.0


access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0


nat (inside) 0 no-nat

nat (outside) 0 no-nat

nat (dmz) 0 no-nat


thanks

--Mark

dominic.caron Thu, 05/24/2007 - 05:13
User Badges:
  • Silver, 250 points or more

Your routing configuration is wrong, remove those static routes.


How is your network built, do you have a router in each subnet?

Correct Answer
dominic.caron Thu, 05/24/2007 - 07:48
User Badges:
  • Silver, 250 points or more

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

Actions

This Discussion