Layer 3 routing behind PIX

Answered Question
Jun 8th, 2010

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

Correct Answer by Jon Marshall about 6 years 7 months ago

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 06/08/2010 - 23:53

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

fieryhail Wed, 06/09/2010 - 00:12

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Correct Answer
Jon Marshall Wed, 06/09/2010 - 00:35

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

fieryhail Wed, 06/09/2010 - 00:54

Once again, my sincere gratitude for your assistance in this matter Jon.  Sometimes it is the smallest things can can drive a person crazy lol.  Your help is much appreciated.

Jon Marshall Wed, 06/09/2010 - 00:59

Sometimes it is the smallest things can can drive a person crazy lol.

I know exactly what you mean

Glad to have helped and thanks for the ratings.

Jon

Actions

This Discussion