Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix520 as a VLAN policy router?

Can the PIX 520 function in the capacity of a simple ACL router? I.e., a default-deny policy with granular permit IP extended access lists.

There is some suggestion in the "Cisco Secure PIX Firewalls", Chapman/Fox that traffic can flow between multiple interfaces of the same security level but it is not a CCO-supported configuration.

I have multiple VLANs that I would like to setup very granular ACLs for and I do not want to assume one network has a higher security level than another.

interface ethernet0 100full

interface ethernet0 vlan1 physical

interface ethernet0 vlan10 logical

interface ethernet0 vlan20 logical

interface ethernet0 vlan21 logical

interface ethernet1 auto shutdown

nameif ethernet0 trunk security0

nameif ethernet1 inside security100

nameif vlan20 test0 security50

nameif vlan21 test1 security50

nameif vlan10 dmz security50

access-list 100 permit ip host 192.168.8.2 host 192.168.2.50 log

ip address test0 192.168.8.1 255.255.255.0

ip address test1 192.168.7.1 255.255.255.0

ip address dmz 192.168.2.201 255.255.255.0

access-group 100 in interface test0

---------

If I ping from a host in Vlan2 at 192.168.8.2 to 192.168.2.50 (on dmz/vlan10), I get the following syslog:

106011: Deny inbound (No xlate) icmp src test0:192.168.8.2 dst dmz:192.168.2.50 (type 8, code 0)

Suggesting that an xlate/conduit/static/global command are needed, but NAT should not be a requirement.

~BAS

3 REPLIES
New Member

Re: Pix520 as a VLAN policy router?

I just read about "Nat 0 Access-List" or NAT Excemption and added:

access-list no-nat permit ip 192.168.8.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (test0) 0 access-list no-nat

---

I have the same results.

~lava

New Member

Re: Pix520 as a VLAN policy router?

You could configure it as an ACL filter, but need to configure NAT exemption to make it work

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008052564b.html#wp1043405

and you also need to allow communication between same security levels

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html#wp1039276

New Member

Re: Pix520 as a VLAN policy router?

Yes, I saw that, except it's for 7.x only *and* the latest Pix OS that will run on a 520 w/ 16mb of flash is 6.3(5) (iirc).

Just to reitterate: I'm looking to do is enforce a "block all except ACL" policy. In the configuration at hand, there is no concept of a "DMZ", "WAN", "Inside", etc.

I *can* apply "nat (vlan#) 0 acl" with a different respective ACL to each interface using access-group, no problem, but I need the equivilant syntax for 6.x (unless there's some magic to getting 7.x on a Pix 520)

The release notes for 7.0(4) say 16mb flash min requirement, but they don't mentio the 520 at all (unless that's an attempt to marginalize it)

Version 7.0(4):

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080546bbd.html#wp31990

100
Views
0
Helpful
3
Replies