04-07-2003 04:02 PM - edited 03-09-2019 02:48 AM
Coming from the checkpoint world I'm having some difficulty in understanding the pix. Any help would be great.
I have a two pix firewalls in a failover configuration with 6 fast ethernet ports on each firewall. I have two of the interfaces at a security level of 50, two at 25, one at 0 and one at 100.
As the firewall is on an internal network I have no desire to perform any sort of hide nat. I just want to pass the traffic according to access-lists. I'm confused as to what kind of statement I should be using on each interface to pass the traffic without translation to the other interfaces. Should it be nat with an associated access list, some other form of a nat statement, or a static statement? What would be an example?
04-08-2003 04:14 AM
3msands,
By default the pix will not send traffic to other interfaces that have the same security level. So 1security level 50 interface wont talk to another level 50.
"Interfaces with the same security level cannot communicate with each other. We recommend that every interface have a unique security level. "
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1026054
Matt A
04-09-2003 11:55 AM
Ok thank you. That is easily fixed but it doesn't answer the original question.
04-09-2003 08:39 PM
Easiest way to pass traffic from interface to interface is with a static statement, but map the old address to the same address, effectively eliminating NAT.
Let's say you have:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 1.1.1.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
then to allow traffic from inside to outside without translation then do:
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
If you then also want to allow traffic from outside to inside, you just need an access-list allowing that traffic in.
04-12-2003 12:48 PM
HI.
You can disable NAT on all interfaces:
nat (inside) 0 0 0
nat (???) 0 0 0
etc...
No need to disable nat on the "outside" interface (sec0) because traffic from outside will not NAT by default.
Then use ACL on all interfaces to control the traffic.
STATIC is not good for you because you need to configure it on each pair of interfaces. NAT 0 is what you're looking for.
Yizhar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide