Re: two inside interfaces talking to one another?

davistw · ‎05-22-2008

I am trying to get 2 inside interfaces on a PIX 515E to talk to one another. (These networks need to have any-any type connectivity to each other)

I know on 7.X all you should have to do is create them with the same security level and do a:

same-security-traffic permit inter-interface

However, I am running 6.3 and cant upgrade due to memory to 7.X

Here is what I have

ETH0 Outside interface (nat pool) security level 0 (X.X.X.X - Outside/Internet)

ETH1 Inside interface security level 100 (192.168.5.0/24) (Inside space 1)

ETH1 Inside2 interface (VLAN3) security level 99 (192.168.6.0/23) (Inside space 2)

I can get the inside (192.168.5.X) to talk to inside2 (192.168.6.X) by doing a

access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.254.0

nat (inside) 0 access-list inside_outbound_nat0_acl

But I can't for the life of me get inside2 (192.168.6.X) to talk to inside (192.168.5.X)

davistw · ‎05-24-2008

Here is a picture of what I am trying to do...

andrew.prince · ‎05-25-2008

Tom,

Try the below

static (Inside2,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.00

Or

access-list inside2_outbound_nat0_acl permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

nat (inside2) 0 access-list inside2_outbound_nat0_acl

And of course - if as Inside2 will have a lower security level - make sure you are allowing via and ACL traffic from Inside2 to Inside?

HTH.

davistw · ‎05-27-2008

Thanks for the pointer...

What I ended up doing was:

access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

access-group inside2_vlan3_access_in in interface inside2_vlan3

static (inside,inside2_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any