Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX access list issues

Hi guys, I have a test PIX 515 here and I have just configured a logical interface as a VLAN. The switch can see the correct VLAN, and the pix can ping one host on the new VLAN, and vice versa, so the VLAN is operational.

I am sitting behind an interface called ABC and this is numbered 192.168.1.0/24 and I am trying to access the network listed above on 10.0.31.248/29

I believe I need to create 2 static entries, nat entries for both and then create an access-list for traffic, applying the list via an access-group. Is this correct, or am I missing something here?

as far as the static entries go, are these something like:

static(abc,vlan166)192.168.1.10 192.168.1.10 netmask 255.255.255.255

For nat do I just add:

nat (abc) 1 0 0

nat (abc) 0 access-list nonatabc

Thanks,

Dean

1 REPLY

Re: PIX access list issues

Dean,

You only have to have 1 static NAT from the source to the destination, the PIX will work out the reverse. You would need to add another static NAT if the traffic flows in the other direction.

The above config is incorrect - let me explain:-

nat (abc) 1 0 0 - says all traffic from interface abc should be natted to the global NAT IP addressed associated with NAT id 1.

nat (abc) 0 access-list nonatabc - says any traffic from the source to the desintation in access-list nonatabc should not be natt'd

static(abc,vlan166)192.168.1.10 192.168.1.10 netmask 255.255.255.255 - statically performs a same IP static network nat.

HTH>

116
Views
0
Helpful
1
Replies
CreatePlease to create content