cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
5
Replies

Layer 3 routing behind PIX

fieryhail
Level 1
Level 1

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

View solution in original post

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

Once again, my sincere gratitude for your assistance in this matter Jon.  Sometimes it is the smallest things can can drive a person crazy lol.  Your help is much appreciated.

Sometimes it is the smallest things can can drive a person crazy lol.

I know exactly what you mean

Glad to have helped and thanks for the ratings.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco