Layer 3 routing behind PIX

Answered Question
Jun 8th, 2010
User Badges:

Hello All,


I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:


VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0


Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,


static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255


From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.


From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.


I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

Correct Answer by Jon Marshall about 6 years 11 months ago

fieryhail wrote:


Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:


static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255


And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.


Yes you can use those static statements for inbound traffic to your servers from the internet.


Jon

Correct Answer by Jon Marshall about 6 years 11 months ago

fieryhail wrote:


Hello All,


I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:


VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0


Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,


static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255


From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.


From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.


I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.


On the 3550 -


ip route 0.0.0.0 0.0.0.0 192.168.0.1


on the pix -


route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2


i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address


also on the pix -


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 06/08/2010 - 23:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

fieryhail wrote:


Hello All,


I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:


VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0


Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,


static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255


From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.


From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.


I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.


On the 3550 -


ip route 0.0.0.0 0.0.0.0 192.168.0.1


on the pix -


route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2


i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address


also on the pix -


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.


Jon

fieryhail Wed, 06/09/2010 - 00:12
User Badges:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:


static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255


And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Correct Answer
Jon Marshall Wed, 06/09/2010 - 00:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

fieryhail wrote:


Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:


static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255


And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.


Yes you can use those static statements for inbound traffic to your servers from the internet.


Jon

fieryhail Wed, 06/09/2010 - 00:54
User Badges:

Once again, my sincere gratitude for your assistance in this matter Jon.  Sometimes it is the smallest things can can drive a person crazy lol.  Your help is much appreciated.

Jon Marshall Wed, 06/09/2010 - 00:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sometimes it is the smallest things can can drive a person crazy lol.


I know exactly what you mean


Glad to have helped and thanks for the ratings.


Jon

Actions

This Discussion