01-11-2004 04:45 AM - edited 03-09-2019 06:05 AM
scenarion
pix 515
6506 core with vlans A, B, C.(intervlan routing is ok)
vlanC is directly connected to inside interface of fw
question
How could a host from outside reach a server ServerA on vlanA.
Solved! Go to Solution.
01-12-2004 08:46 AM
Hi,
Regarding Point 1, yes if the required routes for the networks connected to inside network is done on pix.
Regarding Point 2, If the IP Address you are using on inside network is routable (Public IP), the command which you have given will work. The command actually states that when host 10.10.1.10 on the inside network wants to go to outside network, use the same IP. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host. So if the IP you specify is not a public IP, outside world cannot access it.
01-11-2004 09:35 AM
There needs to be a hole opened via conduit/access list on the firewall to allow access, so long as the firewall can route to the server A. If you are using NAT/PAT internally, you would also need to statically forward a port for the server as well
01-11-2004 11:17 AM
it will be more appreciated if u elaborate more like siting and example...i mean commands..
01-11-2004 12:25 PM
on the pix, trying pinging the server by ip address:
ping 1.2.3.4
1.2.3.4 response received - 0ms
if you get a response, then the pix has a route to the server. then you need to open a hole in the access-list/conduit, and make a nat statement. examples depend on your configuration
01-11-2004 09:49 PM
Ok. Let me explain this with an example.
if Network of A is 10.10.1.0
NEtwork of B is 10.10.2.0
NEtwork of C is 10.10.3.0
PiX is 10.10.3.1 and Network C vlan interface is 10.10.3.2
Server in VLAN A is 10.10.1.10
On pix, routes needs to be added for network A and B
route inside 10.10.1.0 255.255.255.0 10.10.3.2
route inside 10.10.2.0 255.255.255.0 10.10.3.2
Once the above is done, you should be able to reach hosts in Network A and B from Pix. Try ping.
To provide access for the Server should be straightforward procedure as you do for normal inside connected hosts to PIX, since we have solved the end-to-end connectivity between pix and hosts in VLAN A and B.
static (inside,outside) 211.x.x.x 10.10.1.10 netmask 255.255.255.255
access-list aclout permit tcp any host 211.x.x.x eq www
access-group aclout in interface outside
211.x.x.x is your public address.
Hope this should clarify the above issue.
01-12-2004 08:13 AM
thats a very clear one..just for additional clarification
1. so i can use static for addresses not directly connected to a pix interface..(in our case its vlanA and vlanB)
2. is it also possible to use
static (inside, outside) 10.10.1.10 10.10.1.10
thanks a lot
01-12-2004 08:46 AM
Hi,
Regarding Point 1, yes if the required routes for the networks connected to inside network is done on pix.
Regarding Point 2, If the IP Address you are using on inside network is routable (Public IP), the command which you have given will work. The command actually states that when host 10.10.1.10 on the inside network wants to go to outside network, use the same IP. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host. So if the IP you specify is not a public IP, outside world cannot access it.
01-12-2004 09:59 AM
excellent...thats fine..the outside is connected to our branches anyway...not to the internet..
again, my many thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: