Solved: Re: reaching a server on a vlan not directly connected to the in

rpalacio · ‎01-11-2004

scenarion

pix 515

6506 core with vlans A, B, C.(intervlan routing is ok)

vlanC is directly connected to inside interface of fw

question

How could a host from outside reach a server ServerA on vlanA.

prasadrp · ‎01-12-2004

Hi,

Regarding Point 1, yes if the required routes for the networks connected to inside network is done on pix.

Regarding Point 2, If the IP Address you are using on inside network is routable (Public IP), the command which you have given will work. The command actually states that when host 10.10.1.10 on the inside network wants to go to outside network, use the same IP. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host. So if the IP you specify is not a public IP, outside world cannot access it.

View solution in original post

mostiguy · ‎01-11-2004

There needs to be a hole opened via conduit/access list on the firewall to allow access, so long as the firewall can route to the server A. If you are using NAT/PAT internally, you would also need to statically forward a port for the server as well

rpalacio · ‎01-11-2004

it will be more appreciated if u elaborate more like siting and example...i mean commands..

mostiguy · ‎01-11-2004

on the pix, trying pinging the server by ip address:

ping 1.2.3.4

1.2.3.4 response received - 0ms

if you get a response, then the pix has a route to the server. then you need to open a hole in the access-list/conduit, and make a nat statement. examples depend on your configuration

prasadrp · ‎01-11-2004

Ok. Let me explain this with an example.

if Network of A is 10.10.1.0

NEtwork of B is 10.10.2.0

NEtwork of C is 10.10.3.0

PiX is 10.10.3.1 and Network C vlan interface is 10.10.3.2

Server in VLAN A is 10.10.1.10

On pix, routes needs to be added for network A and B

route inside 10.10.1.0 255.255.255.0 10.10.3.2

route inside 10.10.2.0 255.255.255.0 10.10.3.2

Once the above is done, you should be able to reach hosts in Network A and B from Pix. Try ping.

To provide access for the Server should be straightforward procedure as you do for normal inside connected hosts to PIX, since we have solved the end-to-end connectivity between pix and hosts in VLAN A and B.

static (inside,outside) 211.x.x.x 10.10.1.10 netmask 255.255.255.255

access-list aclout permit tcp any host 211.x.x.x eq www

access-group aclout in interface outside

211.x.x.x is your public address.

Hope this should clarify the above issue.

rpalacio · ‎01-12-2004

thats a very clear one..just for additional clarification

1. so i can use static for addresses not directly connected to a pix interface..(in our case its vlanA and vlanB)

2. is it also possible to use

static (inside, outside) 10.10.1.10 10.10.1.10

thanks a lot

prasadrp · ‎01-12-2004

Hi,

Regarding Point 1, yes if the required routes for the networks connected to inside network is done on pix.

Regarding Point 2, If the IP Address you are using on inside network is routable (Public IP), the command which you have given will work. The command actually states that when host 10.10.1.10 on the inside network wants to go to outside network, use the same IP. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host. So if the IP you specify is not a public IP, outside world cannot access it.

rpalacio · ‎01-12-2004

excellent...thats fine..the outside is connected to our branches anyway...not to the internet..

again, my many thanks

reaching a server on a vlan not directly connected to the inside interface