I realise that this question has been asked in many different ways, but I haven't seen my way yet. My problem is We have a pix515e with 6 interfaces, all interfaces can get out to the outside world fine but they can't cross over to each other. We don't have any routers behind them we have 10.0.0.1 and 10.0.1.1, etc as interface id's. How do I get them to see across each other I need interface 2 to see the inside interface servers and likewise. Also how do I get them to traslate ip addresses. for example we have a mail server on the inside interface that has 10.0.0.60 translated to X.X.X.60 on the outside interface so the outside world can see it. The interface 2 computers see that machine as X.X.X.X.60 not the fact it is on the interface right beside it and can therefore not find it. The inside machines translate the address fine to 10.0.0.60 Please help. and I hope this can be done without routers behind the pix.
Solved! Go to Solution.
if the traffic goes from a higher security level to a lower security level, the only thing you need is some kind of translation for the addresses on the higher-level interface. You can use the 'nat' and 'global' commands for this, or you can choose for static translation of the addresses with the 'static' command.
If the traffic goes from a lower to a higher security level, you will need static translation for the address on higher-level interface. To allow connections initiated from the lower security level, you will have to create an 'access-list' and apply it to the lower-level interface.
I don't know if the text above is clear enough (sorry for that :-). But maybe you can provide some more info and tell me what you would like as the final result? Is it possible to post the config (!!replace public addresses and remove passwords!!)?
It makes sorta sense. So do I translate the external ip x.x.x.60 to a 10.0.1.60 adress and if so how? the interface 2 sees the machine on the inside interface as having the outside ip as everything does outside of the inside interface. I understand the allowing connections to go from one to the other but maybe my problem is the machines knowing how to get to the other machines. Maybe I am jsut getting more confused now. Thanks for any help.
I have found that if I statical map 10.0.0.60 to 10.0.1.60 I can ping the server through IP address but can't ping through name. When I do an nbtstat -c I get 2 ip address for the email server. Is there anyway to get the clients on interface 2 to know that email is really 10.0.1.60 which is really 10.0.0.60 which in the outside world is x.x.x.60? Confusing enough :)
sorry, but it's getting confusing. Could you provide some kind of overview of the interface on your pix. Please provide the ip addresses of the interfaces and the security levels of the interfaces.
thanks for taking the time, okay here goes
-inside ip 10.0.0.1 security level 100
-intf2 ip 10.0.1.1security level 99 or anything less than 100
-outside 126.96.36.199 (eg)
-both can get out fine and I can let outside in with no problems
-email server and file server on inside interface 10.0.0.60 and 10.0.0.70 respectfully
10.0.0.60 and 70 are mapped to 188.8.131.52 and 70 outside
-now comes interface 2, users on that can get out fine but when they look for email.test.server.address they get 184.108.40.206 as an address and therefore can't reach the real address of 10.0.0.60
-i can map 10.0.1.60 on interface2 to 10.0.0.60 on inside and can then ping 10.0.1.60 and get the email server but if I use the name it returns 220.127.116.11 and can not find the email server.
How do I tell all machines on interface 2 that they need to look for the servers on the inside interface?
Hope that is better explained, thanks for any help
thanks for explaining the situation again. I think I have a solution for your problem :-)
The pix provides the 'alias' command for this. Please have a look at this URL:
This will work if:
- the name of the mailserver is resolved by using dns
- the dns query of the host (which is on the int2 network) goes through the pix
If that's is the case, you can issue this command:
alias (replace_with_name_of_int2) 10.0.0.60 18.104.22.168 255.255.255.255
With this command in place, the pix will modify the reply coming from the dns server and replace (in the data of the dns-packet ) 22.214.171.124 with 10.0.0.60.
Hope this will work! (please keep me informed)
Somhow i realised my post never mad it on. It is a dns flag in the statement now in 6.2 but still does not work. It is fine for the machines on the inside interface with the server but machines on interface 2 don't know how to get to it. Do I have to set up some sorta static route so that interface 2 uses the inside interface. I tried setting the 55.55.55
Thanks to Cisco my problem has been fixed, thanks for everyones help. The solution was to do a static map of 126.96.36.199 on intf2 to 10.0.0.60 on the inside interface
static (inside,intf2) 188.8.131.52 10.0.0.60 netmask 255.255.255.255