Hi,

I have a need to use one interface on my PIX 525 (version 7.2(2)) as a logical interface so that I can use NAT to reference local non-routable DMZ IP addresses into ospf advertised IP addresses. I?ve connected PIX ethernet 4 into my Cisco 6500 switch slot 12 port 43. I?ve enabled trunking on 12/43 and 12/43 resides in my management domain (VLAN1). My relevant switch and FW config is below.

Issue: Not working: Host 172.31.76.100 attempts to RDP to NAT address 172.31.48.100 but fails. I would like to have confirmation that this config is correct from the community.

Catalyst Switch

Port status is:

12/43 PIX-525-ETH4 connected trunk full 100 10/100/1000

Trunk config is:

clear trunk 12/43 2-239,241-1005,1025-4094

set trunk 12/43 on dot1q 1,240

Trunk status is:

12/43 on dot1q trunking 1

Firewall interface config is:

interface Ethernet4

description Base interface for DMZ translations

speed 100

duplex full

no nameif

security-level 100

no ip address

!

interface Ethernet4.240

vlan 240

nameif VLAN240

security-level 75

ip address 172.30.243.100 255.255.252.0

ACL config is:

access-list VLAN240 remark NAT control into VLAN240 from inside

access-list VLAN240 extended permit ip 172.31.76.0 255.255.255.0 host 172.31.48.100

access-list VLAN240_IN remark Regulate access from VLAN240 into inside

access-list VLAN240_IN extended permit tcp host 172.30.240.226 eq 3389 host 172.30.243.100

access-list VLAN240_IN extended deny ip any any

NAT config is:

global (outside) 30 X.X.X.X netmask 255.255.255.192

global (XXXXXX) 3 interface

global (XXXXXX) 20 interface

global (VLAN240) 50 interface

nat (inside) 0 access-list NONAT

nat (inside) 3 access-list XXX

nat (inside) 20 access-list XXXXXX

nat (inside) 30 access-list WWW

nat (inside) 50 access-list VLAN240

nat (XXXXXX) 0 access-list NONAT-VPN

static (inside,VLAN240) 172.31.48.100 172.30.240.226 netmask 255.255.255.255

access-group VLAN240_IN in interface VLAN240

return route does exist.