07-14-2010 08:27 PM - edited 03-11-2019 11:11 AM
Hi,
I have a requirement like this
L3 switch connected to PIX that PIX connected to othernetworks.
TOPOLOGY
--------------------
Switch--->PIX--->Othernetworks
I have created L3 vlans on switch ( 3 vlans created and assigned 3 different subnet)
my requirement says all vlans must ping with pix gateway and also all vlans must reach the othernetworks as well,
Even traffic must flow two way
It would be great if experts can help me with sample commands, how to put route for reachablity etc.
Thanks,
Pramod KG
Solved! Go to Solution.
07-14-2010 08:36 PM
Hello,
Assume that the 3 VLAN IP addresses are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 with the firewall being in 192.168.1.x subnet. Let the switch SVI address be 192.168.1.1 and PIX address be 192.168.1.2. Let the remote network be 172.16.x.x
On the Switch:
interface vlan 1
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 2
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.3.1 255.255.255.0
exit
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.2
On the firewall:
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
exit
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
exit
route inside 192.168.2.0 255.255.255.0 192.168.1.1
route inside 192.168.3.0 255.255.255.0 192.168.1.1
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-group outside_permit_in in interface outside
In the above example, both 172.16.x.x and 192.168.x.x can communicate seamlessly. If you want to restrict the communication, you can change the access-list rules accordingly.
Hope this helps.
Regards,
NT
07-14-2010 09:30 PM
Hello,
The static statement is called identity NAT. It will instruct the firewall to pass 192.168.1.0 traffic from inside interface to outside interface without any change (i.e. no nat). It will also instruct the firewall to allow connections originated on the outside interface to the hosts belonging to 192.168.1.x subnet (bi-directional traffic). So, in other words, with that configuration, the hosts on the outside subnet will be able to see the actual IP of the inside VLAN hosts and they will be able to initiate connections to those devices.
https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#SIN1
Hope this helps.
Regards,
NT
07-14-2010 08:36 PM
Hello,
Assume that the 3 VLAN IP addresses are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 with the firewall being in 192.168.1.x subnet. Let the switch SVI address be 192.168.1.1 and PIX address be 192.168.1.2. Let the remote network be 172.16.x.x
On the Switch:
interface vlan 1
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 2
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.3.1 255.255.255.0
exit
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.2
On the firewall:
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
exit
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
exit
route inside 192.168.2.0 255.255.255.0 192.168.1.1
route inside 192.168.3.0 255.255.255.0 192.168.1.1
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-group outside_permit_in in interface outside
In the above example, both 172.16.x.x and 192.168.x.x can communicate seamlessly. If you want to restrict the communication, you can change the access-list rules accordingly.
Hope this helps.
Regards,
NT
07-14-2010 09:24 PM
Thanks a lot Naga for your excellent reply!
I have a doubt ?
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Can you please explain the above cmd what exactly do ?
why the subnet is same for both inside and outside ?
07-14-2010 09:30 PM
Hello,
The static statement is called identity NAT. It will instruct the firewall to pass 192.168.1.0 traffic from inside interface to outside interface without any change (i.e. no nat). It will also instruct the firewall to allow connections originated on the outside interface to the hosts belonging to 192.168.1.x subnet (bi-directional traffic). So, in other words, with that configuration, the hosts on the outside subnet will be able to see the actual IP of the inside VLAN hosts and they will be able to initiate connections to those devices.
https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#SIN1
Hope this helps.
Regards,
NT
07-15-2010 12:51 AM
Thanks much for your excellent support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide