06-08-2010 08:08 PM - edited 03-06-2019 11:29 AM
Hello All,
I'm having a difficulty which is probably simple but I can't seem to make it work. I have a PIX connected to the internet, the outside interface is working fine. The inside interface is connected to a layer 3 switch with 2 networks. The two networks are as such:
VLAN Interface 100: 192.168.110.0 255.255.255.0
VLAN Interface 200: 192.168.10.0 255.255.255.0
Then the third vlan (vlan 900) is connected to inside interface of a PIX. The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2. How would I allow both networks to get internet access through the PIX? Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200? Example,
static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255
From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface). I can not ping the PIX's outside interface however, or any internet host.
From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network. I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.
I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX. Any suggestions in tis would be very much appreciated.
Solved! Go to Solution.
06-08-2010 11:53 PM
fieryhail wrote:
Hello All,
I'm having a difficulty which is probably simple but I can't seem to make it work. I have a PIX connected to the internet, the outside interface is working fine. The inside interface is connected to a layer 3 switch with 2 networks. The two networks are as such:
VLAN Interface 100: 192.168.110.0 255.255.255.0
VLAN Interface 200: 192.168.10.0 255.255.255.0
Then the third vlan (vlan 900) is connected to inside interface of a PIX. The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2. How would I allow both networks to get internet access through the PIX? Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200? Example,
static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255
From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface). I can not ping the PIX's outside interface however, or any internet host.
From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network. I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.
I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX. Any suggestions in tis would be very much appreciated.
On the 3550 -
ip route 0.0.0.0 0.0.0.0 192.168.0.1
on the pix -
route inside 192.168.10.0 255.255.255.0 192.168.0.2
route inside 192.168.110.0 255.255.255.0 192.168.0.2
i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address
also on the pix -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.
Jon
06-09-2010 12:35 AM
fieryhail wrote:
Thank you very much Jon for the reply. I feel like an idiot, I should have thought of that, lol. I will be trying that shortly. I do have one other question though. In regards to inbound traffic from the internet. I assume that I can still setup static nat statements on the PIX such as:
static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255
And so on and so forth? Thanks again in advance. Also, will let you know how this works out shortly.
Yes you can use those static statements for inbound traffic to your servers from the internet.
Jon
06-08-2010 11:53 PM
fieryhail wrote:
Hello All,
I'm having a difficulty which is probably simple but I can't seem to make it work. I have a PIX connected to the internet, the outside interface is working fine. The inside interface is connected to a layer 3 switch with 2 networks. The two networks are as such:
VLAN Interface 100: 192.168.110.0 255.255.255.0
VLAN Interface 200: 192.168.10.0 255.255.255.0
Then the third vlan (vlan 900) is connected to inside interface of a PIX. The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2. How would I allow both networks to get internet access through the PIX? Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200? Example,
static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255
From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface). I can not ping the PIX's outside interface however, or any internet host.
From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network. I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.
I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX. Any suggestions in tis would be very much appreciated.
On the 3550 -
ip route 0.0.0.0 0.0.0.0 192.168.0.1
on the pix -
route inside 192.168.10.0 255.255.255.0 192.168.0.2
route inside 192.168.110.0 255.255.255.0 192.168.0.2
i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address
also on the pix -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.
Jon
06-09-2010 12:12 AM
Thank you very much Jon for the reply. I feel like an idiot, I should have thought of that, lol. I will be trying that shortly. I do have one other question though. In regards to inbound traffic from the internet. I assume that I can still setup static nat statements on the PIX such as:
static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255
And so on and so forth? Thanks again in advance. Also, will let you know how this works out shortly.
06-09-2010 12:35 AM
fieryhail wrote:
Thank you very much Jon for the reply. I feel like an idiot, I should have thought of that, lol. I will be trying that shortly. I do have one other question though. In regards to inbound traffic from the internet. I assume that I can still setup static nat statements on the PIX such as:
static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255
And so on and so forth? Thanks again in advance. Also, will let you know how this works out shortly.
Yes you can use those static statements for inbound traffic to your servers from the internet.
Jon
06-09-2010 12:54 AM
Once again, my sincere gratitude for your assistance in this matter Jon. Sometimes it is the smallest things can can drive a person crazy lol. Your help is much appreciated.
06-09-2010 12:59 AM
Sometimes it is the smallest things can can drive a person crazy lol.
I know exactly what you mean
Glad to have helped and thanks for the ratings.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide