Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing traffic across two ethernet interfaces on a PIX

I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I am having difficulty allowing traffic from the 10.198.16.0 network to traverse the PIX into 10.12.60.0. I am specifically trying to enable access to a server with an IP of 10.12.60.2.

I'm attaching my config. Any help would be greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Allowing traffic across two ethernet interfaces on a PIX

OK, so the inside interface has a security-level of 100, and WTS has a security-level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a nat/global pair (or a static) between the two interfaces so that the PIX knows how to NAT the traffic between the two interfaces (remember, the PIX likes to do NAT).

You have this in your config:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

which says any traffic on the inside interface with an IP address of 10.x.x.x will be NAT'd, but you then need a global for the WTS interface to define what those IP addresses will be NAT'd to.

Adding:

global (WTS) 1 interface

will PAT all the inside addresses to the IP address of the WTS interface and allow traffic to flow between the interfaces. If you would prefer the hosts on the inside interface to appear as their own IP address when on the WTS network then you can use a static command and NAT the addresses to themselves, effectively doing NAT but not actually changing the addresses:

static (inside,WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

Hope that helps.

2 REPLIES
Cisco Employee

Re: Allowing traffic across two ethernet interfaces on a PIX

OK, so the inside interface has a security-level of 100, and WTS has a security-level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a nat/global pair (or a static) between the two interfaces so that the PIX knows how to NAT the traffic between the two interfaces (remember, the PIX likes to do NAT).

You have this in your config:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

which says any traffic on the inside interface with an IP address of 10.x.x.x will be NAT'd, but you then need a global for the WTS interface to define what those IP addresses will be NAT'd to.

Adding:

global (WTS) 1 interface

will PAT all the inside addresses to the IP address of the WTS interface and allow traffic to flow between the interfaces. If you would prefer the hosts on the inside interface to appear as their own IP address when on the WTS network then you can use a static command and NAT the addresses to themselves, effectively doing NAT but not actually changing the addresses:

static (inside,WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

Hope that helps.

New Member

Re: Allowing traffic across two ethernet interfaces on a PIX

Thanks for the info. I implemented the global (WTS) 1 interface command and was able to ping successfully to a server on the WTS network. However, I wasn't able to traceroute. It would stop at the pix. Is this to be expected?

100
Views
0
Helpful
2
Replies
CreatePlease to create content