Solved: NAT/Route question

mark.johnson · ‎05-24-2007

Can anyone help me out on this:

I'm used to setting up PIX's for internet usage either with Static NAT's, Dynamic NAT's or both with a router between the networks.

What I want to do is segment 2 private networks with a 515E, but I can't seem to get my head around not NAT'ing it and just routing between the 2 then controlling with a ACL.

example: 192.168.1.0/24 <-----> PIX <-----> 172.16.1.0/24

ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

route outside 192.168.1.0 255.255.255.0 172.16.1.254 1

route inside 172.16.1.0 255.255.255.0 192.168.1.254 1

access-list local_A_in permit tcp host 172.16.1.1 host 192.168.1.1 eq www

access-group local_A_in in interface outside

access-list local_B_in permit tcp host 192.168.1.2 host 172.16.1.2 eq https

access-group local_B_in in interface inside

Where am I going wrong?

Thanks

--Mark

dominic.caron · ‎05-24-2007

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

View solution in original post

dominic.caron · ‎05-24-2007

If your goal is not to do any NAT between those network, simply do a nat 0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 no-nat

nat (outside) 0 no-nat

mark.johnson · ‎05-24-2007

thanks for your help Dominic.

would I still leave in the static routes or could I use the ones the PIX finds?

additionally, if I where to add an additional interface to the PIX, would look like this:

ip address outside 172.16.1.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip address dmz 10.10.10.254 255.255.255.0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 no-nat

nat (outside) 0 no-nat

nat (dmz) 0 no-nat

thanks

--Mark

dominic.caron · ‎05-24-2007

Your routing configuration is wrong, remove those static routes.

How is your network built, do you have a router in each subnet?

mark.johnson · ‎05-24-2007

understood on the routes.

no router in each subnet. I want to segment the 2 networks with the firewall, but I don't want to put a router in - if that makes sense?

dominic.caron · ‎05-24-2007

If there is not router (and no internet gateway) and if the default route of the host PCs is the firewall, the firewall will route traffic between it's connected subnet with no need to add any config.

mark.johnson · ‎05-24-2007

Thanks for all the help Dominic

cheers

--Mark