05-22-2008 08:12 AM
I am trying to get 2 inside interfaces on a PIX 515E to talk to one another. (These networks need to have any-any type connectivity to each other)
I know on 7.X all you should have to do is create them with the same security level and do a:
same-security-traffic permit inter-interface
However, I am running 6.3 and cant upgrade due to memory to 7.X
Here is what I have
ETH0 Outside interface (nat pool) security level 0 (X.X.X.X - Outside/Internet)
ETH1 Inside interface security level 100 (192.168.5.0/24) (Inside space 1)
ETH1 Inside2 interface (VLAN3) security level 99 (192.168.6.0/23) (Inside space 2)
I can get the inside (192.168.5.X) to talk to inside2 (192.168.6.X) by doing a
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.254.0
nat (inside) 0 access-list inside_outbound_nat0_acl
But I can't for the life of me get inside2 (192.168.6.X) to talk to inside (192.168.5.X)
05-24-2008 11:15 AM
05-25-2008 01:04 PM
Tom,
Try the below
static (Inside2,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.00
Or
access-list inside2_outbound_nat0_acl permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
nat (inside2) 0 access-list inside2_outbound_nat0_acl
And of course - if as Inside2 will have a lower security level - make sure you are allowing via and ACL traffic from Inside2 to Inside?
HTH.
05-27-2008 10:44 AM
Thanks for the pointer...
What I ended up doing was:
access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
access-group inside2_vlan3_access_in in interface inside2_vlan3
static (inside,inside2_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: