Cisco Support Community
Community Member

NAT 0 with pix

I need to configure pix to allow nms servers (ciscoworks, etc) on net5 to monitor every single network devices on the whole network.

No port filtering restriction between net 5 and the rest of the networks.

It's been awhile since I work on pix firewalls so I'm not really sure whether my configuration will work.

Rough scenario looks like this...

6 interfaces on the pix without NAT

ethernet0(net1): (level 0)

ethernet1(net2): (level 20)

ethernet2(net3): (level 40)

ethernet3(net4): (level 60)

ethernet4(net5): (level 80)

ethernet5(net6): (level 100)

NMS servers residing at net5 needs to monitor every network equipment on all networks. All ports open.

To monitor devices on net6, which has a higher security level,

I would configure something like this:

access-list nms_access_in permit ip

access-group nms_access_in in interface net5

static(net6,net5) netmask 0 0

To monitor devices on networks, which has a lower security level:

access-list allow_all permit ip

access-list allow_all permit ip

access-list allow_all permit ip

access-list allow_all permit ip

nat (net5) 0 access-list allow_all

Will this work? net5 should be able to reach the whole network (all open)

Many thanks for many help....

Community Member

Re: NAT 0 with pix

the static to permit nms to net6 should be static (net6, net5) netmask x.x.x.x.

Community Member

Re: NAT 0 with pix

sorry, ignore my last comment. your static is correct but the access list applied on net5 must permit all traffic you wish to pass the interface. so you most likely want something like access-list nms_access_in permit ip any. sorry about the confusion.

CreatePlease to create content