I have a requirement like this
L3 switch connected to PIX that PIX connected to othernetworks.
I have created L3 vlans on switch ( 3 vlans created and assigned 3 different subnet)
my requirement says all vlans must ping with pix gateway and also all vlans must reach the othernetworks as well,
Even traffic must flow two way
It would be great if experts can help me with sample commands, how to put route for reachablity etc.
The static statement is called identity NAT. It will instruct the firewall to pass 192.168.1.0 traffic from inside interface to outside interface without any change (i.e. no nat). It will also instruct the firewall to allow connections originated on the outside interface to the hosts belonging to 192.168.1.x subnet (bi-directional traffic). So, in other words, with that configuration, the hosts on the outside subnet will be able to see the actual IP of the inside VLAN hosts and they will be able to initiate connections to those devices.
Hope this helps.
Assume that the 3 VLAN IP addresses are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 with the firewall being in 192.168.1.x subnet. Let the switch SVI address be 192.168.1.1 and PIX address be 192.168.1.2. Let the remote network be 172.16.x.x
On the Switch:
interface vlan 1
ip address 192.168.1.1 255.255.255.0
interface vlan 2
ip address 192.168.2.1 255.255.255.0
interface vlan 3
ip address 192.168.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.2
On the firewall:
ip address 172.16.1.1 255.255.255.0
ip address 192.168.1.2 255.255.255.0
route inside 192.168.2.0 255.255.255.0 192.168.1.1
route inside 192.168.3.0 255.255.255.0 192.168.1.1
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-group outside_permit_in in interface outside
In the above example, both 172.16.x.x and 192.168.x.x can communicate seamlessly. If you want to restrict the communication, you can change the access-list rules accordingly.
Hope this helps.