I have a problem with a pix 525 firewall that I recently aquired. I have setup multiple interfaces using NAT and PAT. Everything is working so far except communication from higher security interfaces to lower security.
I am not able to access inside2 interface from inside1. It was my understanding that the PIX allows communication to lower security level interfaces by default and access from all interfaces to outside is working.
The configuration I have provided basically tells the firewall that when you are going from Inisde1 to Inside2, the source address should not be changed i.e. you have to bypass the NAT rules. This will satisfy the NAT requirement between higher security interface and the lower security interface. It will also allow the Inside2 to open a connection towards Inside1 hosts. The reason you are not able to initiate connections from Inside2 towards Inside1 is because Inside2 is at a lower security level and you need to have an exclusive access-list allowing that access. You can try the following:
access-list 102 permit ip any host
access-list 102 deny ip any 192.168.0.0 255.255.255.0
access-list 102 permit ip any any
access-group 102 in interface Inside2
In the above configuration is the host that you need access to from Inside2 subnet. If you want unlimited access between Inisde1 and Inside2, then you can ignore the first two lines and just add the 3rd line.
No I would only like connections to be initialted from inside1. Interface inside2 has an old FTP server on it that I dont want to have access to my domain network on inside1. This is exactly what I wanted to do.
So let me see if I understand this correctly.
nat (inside1) 0 access-list nonat
sets up a NAT rule for inside1 that is defined by what is in the access list "nonat" rather than an IP like in my config (nat (inside1) 1 192.168.0.0).
and then that access list sets the rules for communication between the interfaces in this case allowing all trafic from inside1 clients to inside2 clients.
So if I wanted to expand on this an give inside1 access to another interface (inside3; 192.168.2.0; sec. lev. 80 for example), I could add the following...
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Also, am I correct to assume that I don't need to tie the nonat access list to an interface using the access-group command because it is already tied to that interface within the NAT statement?
Sorry if my terminology is not 100%
Thanks a million for all you help. I have been looking everywhere for the answer to this question.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :