Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Layer 3 routing behind PIX

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Layer 3 routing behind PIX

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

Hall of Fame Super Blue

Re: Layer 3 routing behind PIX

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

5 REPLIES
Hall of Fame Super Blue

Re: Layer 3 routing behind PIX

fieryhail wrote:

Hello All,

I'm having a difficulty which is probably simple but I can't seem to make it work.  I have a PIX connected to the internet, the outside interface is working fine.  The inside interface is connected to a layer 3 switch with 2 networks.  The two networks are as such:

VLAN Interface 100: 192.168.110.0 255.255.255.0

VLAN Interface 200:  192.168.10.0 255.255.255.0

Then the third vlan (vlan 900) is connected to inside interface of a PIX.  The PIX inside interface is 192.168.0.1 255.255.255.0, vlan900 interface is 192.168.0.2.  How would I allow both networks to get internet access through the PIX?  Also, how would I PAT a routable IP from the PIX to a private IP on VLAN 200?  Example,

static (outside,inside) xx.xx.xx.xx 2080 192.168.10.5 80 netmask 255.255.255.255

From being logged into the switch, I can ping all hosts on the networks connected to the switch, i can ping 192.168.0.1 (the inside PIX interface).  I can not ping the PIX's outside interface however, or any internet host.

From a PC connected to 192.168.110.0 I can ping all other hosts in that network, as well as hosts in the 192.168.10.0 network.  I can ping the vlan interface 192.168.0.2 but not other hosts connected to that network, includng the PIX inside interface itself.

I want to enable intervlan traffic on the Catalyst 3550 but still enable internet access and PAT with the PIX.  Any suggestions in tis would be very much appreciated.

On the 3550 -

ip route 0.0.0.0 0.0.0.0 192.168.0.1

on the pix -

route inside 192.168.10.0 255.255.255.0 192.168.0.2

route inside 192.168.110.0 255.255.255.0 192.168.0.2

i'm assuming you already have a default-route on the pix pointing the ISP router next-hop address

also on the pix -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Don't test by trying to ping the outside interface of the pix from an inside PC, this won't work.

Jon

New Member

Re: Layer 3 routing behind PIX

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Hall of Fame Super Blue

Re: Layer 3 routing behind PIX

fieryhail wrote:

Thank you very much Jon for the reply.  I feel like an idiot, I should have thought of that, lol.  I will be trying that shortly.  I do have one other question though.  In regards to inbound traffic from the internet.  I assume that I can still setup static nat statements on the PIX such as:

static (inside,outside) tcp xx.xx.xx.171 2080 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.171 3080 192.168.2.10 80 netmask 255.255.255.255

And so on and so forth?  Thanks again in advance.  Also, will let you know how this works out shortly.

Yes you can use those static statements for inbound traffic to your servers from the internet.

Jon

New Member

Re: Layer 3 routing behind PIX

Once again, my sincere gratitude for your assistance in this matter Jon.  Sometimes it is the smallest things can can drive a person crazy lol.  Your help is much appreciated.

Hall of Fame Super Blue

Re: Layer 3 routing behind PIX

Sometimes it is the smallest things can can drive a person crazy lol.

I know exactly what you mean

Glad to have helped and thanks for the ratings.

Jon

235
Views
0
Helpful
5
Replies