I have PIX with several internal networks including a DMZ, general LAN and an inside/protected network. Everyone is able to get to the Internet using PAT, and higher security interfaces can access lower ones without using NAT. I would like to allow specific clients on lower level interfaces to access servers on the inside network without using NAT, ie by accessing the servers real IP. For example, our general LAN uses 192.168.3.x, and our inside network uses 192.168.101.x. Client 192.168.3.50 should have access to 192.168.101.5. When I created an access-list to permit this and applied it to the interface, it broke outgoing Internet/PAT access.
All the config examples I've seen have static NATs between the internal interfaces, which I'd like to avoid. Is this possible? I've also seen several references to "net static" commands with the format
static (high,low) high high
but don't really understand how this works or if it could help me.
Anyways, heres parts of my running config (with Internet access working). Thanks!
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security40
nameif ethernet3 LAN security60
names
name 192.168.0.148 ftp
name MY.PUBLIC.IP.148 ftp_pub
access-list 101 permit tcp 192.168.3.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101 permit icmp any any
access-list acl_out permit tcp any host ftp_pub eq ftp
access-list acl_out permit tcp any host ftp_pub eq ftp-data
<---next ACL for VPN--->
access-list 100 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 permit ip 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.0
ip address outside MY.PUBLIC.IP.130 255.255.255.192
ip address inside 192.168.101.1 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0
ip address LAN 192.168.3.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
nat (DMZ) 0 access-list 101
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
nat (LAN) 0 access-list 101
nat (LAN) 1 192.168.3.0 255.255.255.0 0 0
static (DMZ,outside) ftp_pub ftp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
sysopt connection permit-ipsec...
All the config examples I've seen have static NATs between the internal interfaces, which I'd like to avoid. Is this possible? I've also seen several references to "net static" commands with the format
static (high,low) high high
but don't really understand how this works or if it could help me.
Anyways, heres parts of my running config (with Internet access working). Thanks!
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security40
nameif ethernet3 LAN security60
names
name 192.168.0.148 ftp
name MY.PUBLIC.IP.148 ftp_pub
access-list 101 permit tcp 192.168.3.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101 permit icmp any any
access-list acl_out permit tcp any host ftp_pub eq ftp
access-list acl_out permit tcp any host ftp_pub eq ftp-data
<---next ACL for VPN--->
access-list 100 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 permit ip 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.0
ip address outside MY.PUBLIC.IP.130 255.255.255.192
ip address inside 192.168.101.1 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0
ip address LAN 192.168.3.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
nat (DMZ) 0 access-list 101
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
nat (LAN) 0 access-list 101
nat (LAN) 1 192.168.3.0 255.255.255.0 0 0
static (DMZ,outside) ftp_pub ftp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
sysopt connection permit-ipsec...