Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
3
Replies

Pix520 as a VLAN policy router?

BRIAN SEKLECKI
Level 1
Level 1

‎01-30-2006 01:40 PM - edited ‎03-09-2019 01:47 PM

Can the PIX 520 function in the capacity of a simple ACL router? I.e., a default-deny policy with granular permit IP extended access lists.

There is some suggestion in the "Cisco Secure PIX Firewalls", Chapman/Fox that traffic can flow between multiple interfaces of the same security level but it is not a CCO-supported configuration.

I have multiple VLANs that I would like to setup very granular ACLs for and I do not want to assume one network has a higher security level than another.

interface ethernet0 100full

interface ethernet0 vlan1 physical

interface ethernet0 vlan10 logical

interface ethernet0 vlan20 logical

interface ethernet0 vlan21 logical

interface ethernet1 auto shutdown

nameif ethernet0 trunk security0

nameif ethernet1 inside security100

nameif vlan20 test0 security50

nameif vlan21 test1 security50

nameif vlan10 dmz security50

access-list 100 permit ip host 192.168.8.2 host 192.168.2.50 log

ip address test0 192.168.8.1 255.255.255.0

ip address test1 192.168.7.1 255.255.255.0

ip address dmz 192.168.2.201 255.255.255.0

access-group 100 in interface test0

---------

If I ping from a host in Vlan2 at 192.168.8.2 to 192.168.2.50 (on dmz/vlan10), I get the following syslog:

106011: Deny inbound (No xlate) icmp src test0:192.168.8.2 dst dmz:192.168.2.50 (type 8, code 0)

Suggesting that an xlate/conduit/static/global command are needed, but NAT should not be a requirement.

~BAS

Labels:
0 Helpful
3 Replies 3

BRIAN SEKLECKI
Level 1
Level 1

‎01-30-2006 02:17 PM

I just read about "Nat 0 Access-List" or NAT Excemption and added:

access-list no-nat permit ip 192.168.8.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (test0) 0 access-list no-nat

---

I have the same results.

~lava

0 Helpful

varakantam
Level 1
Level 1

‎01-30-2006 02:20 PM

You could configure it as an ACL filter, but need to configure NAT exemption to make it work

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008052564b.html#wp1043405

and you also need to allow communication between same security levels

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html#wp1039276

0 Helpful

BRIAN SEKLECKI
Level 1
Level 1
In response to varakantam

‎01-30-2006 03:39 PM

Yes, I saw that, except it's for 7.x only *and* the latest Pix OS that will run on a 520 w/ 16mb of flash is 6.3(5) (iirc).

Just to reitterate: I'm looking to do is enforce a "block all except ACL" policy. In the configuration at hand, there is no concept of a "DMZ", "WAN", "Inside", etc.

I *can* apply "nat (vlan#) 0 acl" with a different respective ACL to each interface using access-group, no problem, but I need the equivilant syntax for 6.x (unless there's some magic to getting 7.x on a Pix 520)

The release notes for 7.0(4) say 16mb flash min requirement, but they don't mentio the 520 at all (unless that's an attempt to marginalize it)

Version 7.0(4):

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080546bbd.html#wp31990

0 Helpful
Customers Also Viewed These Support Documents