Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to connect two PIX's?

Machine A

192.168.1.11(real ip) 10.15.10.11 (nat ip)

|

|

|

|

|

(outside)192.168.1.25

PIX 1

(inside)10.15.10.25

|

|

Router------------------ Machine C 10.1.57.23 (real IP)

|

|

(inside)10.3.10.25

PIX 2

(outside)192.168.1.25

|

|

|

|

|

Machine B 192.168.1.11(real ip)10.3.10.11 (nat ip)

PIX 1

access-list acl_in permit ip host 10.1.57.23 10.15.10.0 255.255.255.0

access-list acl_in permit ip 10.3.10.0 255.255.255.0 10.15.10.0 255.255.255.0

access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.3.10.0 255.255.255.0

ip address outside 192.168.1.25 255.255.255.0

ip address inside 10.15.10.25 255.255.0.0

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (outside,inside) 10.15.10.11 192.168.1.11 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

PIX 2

access-list acl_in permit ip host 10.1.57.23 10.3.10.0 255.255.255.0

access-list acl_in permit ip 10.15.10.0 255.255.255.0 10.3.10.0 255.255.255.0

access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.15.10.0 255.255.255.0

ip address outside 192.168.1.25 255.255.255.0

ip address inside 10.3.10.25 255.255.0.0

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (outside,inside) 10.3.10.11 192.168.1.11 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

Above is a small "drawing" to try to illustrate my setup. Also above are what I think is the relevant PIX configs. The purpose of these 2 firewalls is to protect machines on the 192.168.1.x network from machines on the 10.x.x.x network and vice versa. Subnet masks for 192 machines is 255.255.255.0 and for the 10 network is 255.255.0.0.

Right now, I am able to connect to both machine A and machine B from machine C using the natted IP addresses. The problem I'm having, is that when I try to establish a connection from machine A to machine B I get a syslog error message from PIX 1 that reads "no translation group found for tcp src outside:192.168.1.11 dst inside:10.3.10.11"

I'm a little confused at this point. Do I need to add some sort of global command for the inside interfaces? and a nat for the outside? I will need both Machine A to be able to talk to machine B, and vice versa. Any help is greatly appreciated.

3 REPLIES
Bronze

Re: How to connect two PIX's?

Hi,

I think it will save you a lot of headache if you swop the security levels of each interface of both PIXs... i.e. swop the interface. Interface Outside faces the router of each side of the PIXs... then you can let machine A talk to machine B by typing static (inside,outside) which is the proper way of doing the static translation... also make sure your route statements are reaching the translated subnet (i.e. the outside subnet)...

I hope this helps!

New Member

Re: How to connect two PIX's?

Thanks. It does require me visiting the other sites. I will let you know if it works. Makes sense though.

New Member

Re: How to connect two PIX's?

This config is a bit confusing.

If you are trying to get to 10.3.10.11 from the outside you need

static(inside,outside)10.3.10.11 192.168.1.1 netmask 255.255.255.255 0 0

Your static is backwards on pix 2..

195
Views
0
Helpful
3
Replies
CreatePlease login to create content