Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
8
Helpful
4
Replies

basic configuration question

3msands
Level 1
Level 1

‎04-07-2003 04:02 PM - edited ‎03-09-2019 02:48 AM

Coming from the checkpoint world I'm having some difficulty in understanding the pix. Any help would be great.

I have a two pix firewalls in a failover configuration with 6 fast ethernet ports on each firewall. I have two of the interfaces at a security level of 50, two at 25, one at 0 and one at 100.

As the firewall is on an internal network I have no desire to perform any sort of hide nat. I just want to pass the traffic according to access-lists. I'm confused as to what kind of statement I should be using on each interface to pass the traffic without translation to the other interfaces. Should it be nat with an associated access list, some other form of a nat statement, or a static statement? What would be an example?

Labels:
0 Helpful
4 Replies 4

m.anglin
Level 1
Level 1

‎04-08-2003 04:14 AM

3msands,

By default the pix will not send traffic to other interfaces that have the same security level. So 1security level 50 interface wont talk to another level 50.

"Interfaces with the same security level cannot communicate with each other. We recommend that every interface have a unique security level. "

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1026054

Matt A

0 Helpful

3msands
Level 1
Level 1
In response to m.anglin

‎04-09-2003 11:55 AM

Ok thank you. That is easily fixed but it doesn't answer the original question.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to 3msands

‎04-09-2003 08:39 PM

Easiest way to pass traffic from interface to interface is with a static statement, but map the old address to the same address, effectively eliminating NAT.

Let's say you have:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 1.1.1.1 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

then to allow traffic from inside to outside without translation then do:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

If you then also want to allow traffic from outside to inside, you just need an access-list allowing that traffic in.

yizhar
Level 1
Level 1

‎04-12-2003 12:48 PM

HI.

You can disable NAT on all interfaces:

nat (inside) 0 0 0

nat (???) 0 0 0

etc...

No need to disable nat on the "outside" interface (sec0) because traffic from outside will not NAT by default.

Then use ACL on all interfaces to control the traffic.

STATIC is not good for you because you need to configure it on each pair of interfaces. NAT 0 is what you're looking for.

Yizhar

Customers Also Viewed These Support Documents