08-21-2008 11:47 PM - edited 03-11-2019 06:34 AM
We use 10.x.x.x network internally. Pix stands between two networks - 10.34.12.0/24 - outside one with security level 0 and 10.34.3.0/24 - inside one with security level 100. I need all ip's from 10.34.3.0 and 10.34.12.0 networks to pass trough firewall without any nat translation. Also network 10.34.12.0 should get access to another 10.x.x.x subnets within corporate network without any nat translations. What is the best way to achieve this?
Solved! Go to Solution.
08-22-2008 03:38 AM
Well you just add static statements per network, or just change the previous suggestion to:-
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
That way all networks in the 10/8 are the same passing thru the firewall.
HTH>
08-22-2008 12:18 AM
Try the following
access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0
access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0
nat (outside) 0 access-list outside_access_in
nat (inside) 0 access-list inside_access_out
Thanks
08-22-2008 12:26 AM
When I apply nat (outside) 0 access-list outside_access_in
I receive the following error message:
WARNING: Specified interface is lowest security interface. This statement
WARNING: is not applicable to any traffic.
And I still not able to get access to hosts on 10.34.12.x net. I think as outside is a lower security level interface only static command can help. What do you think?
Thanks
08-22-2008 12:37 AM
can you post your current config, I think there is some confusing on which side the network's are and the direction of the NAT required?
08-22-2008 12:48 AM
Try using
nat (outside) 0 access-list outside_access_in outside
instead of
nat (outside) 0 access-list outside_access_in
Thanks
08-22-2008 12:21 AM
Use a policy based no-nat translation config.
something like:-
access-list no-nat-internal permit ip 10.34.3.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list no-nat-internal permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list no-nat-internal
HTH>
08-22-2008 02:27 AM
Hi guys,
I've implemented such commands on this firewall:
access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0
access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0
access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0
nat (outside) 0 access-list outside_access_in outside
nat (inside) 0 access-list inside_access_out
But I'm still not able to get access to any hosts from inside to outside. Please find configuration details in attachment.
08-22-2008 02:40 AM
Your access-list and interface IP address make no sense, and are incorrect.
1) What IP subnets are on the inside?
2) What IP subnets are on the outside?
You also have a default route pointing to the inside- why? Are you sure you have inside & outside the correct way around?
08-22-2008 02:54 AM
Hi Andrew,
Inside subnet is 10.34.3.0/24
Outside subnet is 10.34.12.0/24
The default route on inside - it's simple a default route to another subnets in our network.
08-22-2008 03:13 AM
OK - so what is the issue?? Are there any other subnets on the outside that you want to connect to?
08-22-2008 03:17 AM
I think I understand now - after re-reading your initial post. Cut and past the config below and re-test:-
no nat (outside) 0 access-list outside_access_in outside
no nat (inside) 0 access-list inside_access_out
no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0
no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0
no access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0
no access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0
static (inside,outside) 10.34.3.0 10.34.3.0 netmask 255.255.255.0
static (outside,inside) 10.34.12.0 10.34.12.0 netmask 255.255.255.0
HTH>
08-22-2008 03:32 AM
Yeah right, this could help but in that case firewall will do proxy arp featute that way it can crash these two networks. It may be a good point to use these static with proxy arp disabled on interfaces, but what to do with other 10.x.x.x networks ?
08-22-2008 03:38 AM
Well you just add static statements per network, or just change the previous suggestion to:-
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
That way all networks in the 10/8 are the same passing thru the firewall.
HTH>
08-22-2008 04:31 AM
Right this one should work with disabled proxy arp:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
sysopt noproxyarp outside
sysopt noproxyarp inside
Guys from that site have already left - will check on Monday ond provide you results.
08-25-2008 10:36 PM
Hi Guys. These configuration rows with disabled proxy arp resolved my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide