Communication b/n two subnets

[emil60148]

I have a small network with a Pix and a Router
Internet --- Pix .1 --- 10.0.2.0 ----.2 R .1 --- 10.0.3.0
I have access to the Internet from 10.0.2.0 and 10.0.3.0
I need to "see" computers in 10.0.3.0 from 10.0.2.0

There is a Web Server with IP Add 10.0.3.10 which is for our office use only
After I added in the Pix configuration
route inside 10.0.3.0 255.255.255.0 10.0.2.2 1
I am able to ping from 10.0.2.0 to 10.0.3.0 but I couldn't http to the WebServer, so i had to add in the R config
ip nat inside source static 10.0.3.10 10.0.2.10
and now hosts in 10.0.2.0 access the WebServer using Address 10.0.2.10

How can i access computers(i need to do file sharing and remote desktop) in 10.0.3.0 from 10.0.2.0 without static mapping for each computer? i mean how can i communicate with computers using directly their 10.0.3 address
Here is most of the R config file

interface Ethernet0/0
ip address 10.0.2.2 255.255.255.0
ip nat outside
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.0.3.1 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 10.0.3.10 10.0.2.10
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.2.1
!
access-list 1 permit 10.0.3.0 0.0.0.255

Thank you for your time

 

[lgarner]

I haven't seen extended ACLs used in this way, but it should work fine.

access-list 101 deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.3.0 0.0.0.255 any

and use that instead of "source list 1". I think your web requests are coming in, but are being NAT'd on the way out.

It would be simpler if the router wasn't performing NAT, unless it must for some reason.

 

[emil60148]

i used NAT to allow 10.0.3.0 to "see" 10.0.2.0 network and to have Internet access

ip nat inside source list 1 interface Ethernet0/0 overload
access-list 1 permit 10.0.3.0 0.0.0.255

How can I do it without NAT?

Thanks

 

[lgarner]

The Pix provides NAT. It'll "nat inside" all internal addresses, if you like.

 

[emil60148]

Thanks
When you say The Pix provides NAT, do you mean to get rid of the router.
I would prefer to keep the router because we are adding more computers in the 10.0.2.0 area
People are leaving here for the day so I can try to change some of the configurations. I'll try the access-list you suggested the first time to see if i can have connections in both directions 10.0.2.0 <--> 10.0.3.0?
access-list 101 deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.3.0 0.0.0.255 any

Do you think I need to keep
ip nat inside
ip nat outside
on both interfaces?
Thanks

 

[lambent]

what's the default gateway of those PCs in the subnet 10.0.2.0/24?

 

[lgarner]

I mean, let the Pix handle NAT to the Internet. Your router doesn't need to NAT anything; let it route natively. That's what you're trying to accomplish anyway.

With "nat (inside) 1 0 0 0 0" and "global (outside) 1 interface" (or public ip of your choice), the Pix will provide NAT for all your internal hosts when they access the Internet. If the traffic doesn't go to the Internet, there's usually no need for NAT.

The gateway is a good point. It should be the router, not the Pix. The router can redirect traffic to the Pix.

 

[Cluebird]

Try this on the router:

interface Ethernet0/0
ip address 10.0.2.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 10.0.3.1 255.255.255.0
half-duplex
!
interface Serial0/1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
no auto-summary

This should fix the router side of things since your NAT is done by the PIX and unnecessary inside the network.

On the Pix you may want to do a default route for the inside networks:
route inside 0 0 10.0.2.2 1

 

[lambent]

If you can ping from PC in subnet 10.0.2.0/24 to PC in subnet 10.0.3.0/24, then the routing looks good. The PIX cannot have a default route for the inside networks cos it should have one for the outside Internet. And for routing between connected subnets in the router, nothing is needed to be done, not even dynamic routing protocols nor static routes. The most important thing is that the PCs in both subnets must have a correct default gateway.

In this case, for PC in subnet 10.0.2.0/24, the default gateway should better be 10.0.2.2 (the router), while for PC in subnet 10.0.3.0/24, the default gateway should better be 10.0.3.1 (also the router). Let the router do the routing instead of the PIX. PIX is sux for one-arm routing as I heard of.

 

[EddieVenus]

On the PIX create an access-list called nonat.
access-list nonat permit 10.0.0.0 255.255.0.0 10.0.0.0 255.255.255.0

then add this line
nat (inside) 0 access-list nonat

but this is only a stop gap measure.

what you should do is make the router the default gateway for the LAN. Then make the PIX the default gateway for the router. note only would this solve this problem, but it will allow for further growth.