I am so glad I found this place. I am a network administrator who has never used Cisco equipment before. The only router configurations I've done were small DSL routers (Netopia and Flowpoint). We've got a PIX 515E. There are two internal interfaces: inside1, which has our workstations and servers, and inside2, which houses a personal server that runs mail, web and irc. NAT is turned on so anything coming in on the public IP address gets routed to the private IP address on inside2 for this personal server. The problem is that I need to be able to route from inside1 to inside2. I cannot send mail or otherwise route to inside2 from here. DNS is set up to point to the public IP address and once it gets to the PIX the route dies. I was looking through a couple of books and what resources I could find in a google search which showed the alias and static commands but I'm really not quite sure how to do this. I know this has to happen to more people than just me!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Static Routing
- Thread starter torena
- Start date
computerhighguy
IS-IT--Management
First off, you should post this question us in the PIX firewall forum. Your answer is very simple, you have to setup static translations between the two inside interfaces. Remember that 1 interface has a lower value than the other. You cannot go from a higher security setting to a lower security setting without punching a hole in the firewall (i.e. static statements).
Lets say that your inside interface has a security setting of 0 (default) and your inside2 has a security setting of 10. We also will assume that your outside interface has a security setting of 100 (default). You will need to create a static mapping between inside2 and inside. The easiest way to do this is to set it up to not use NAT or PAT, but rather act as a router (well kind of, but not really). Lets say that the inside network is 10.1.0.0/24 and the inside2 network is 10.2.0.0/24. Here is the command.
static (inside,inside2) 10.1.0.0 10.1.0.0 netmask 255.255.255.0 0 0
You will then need to create an access-list to allow the traffic you want from inside2 to inside and assign it to the inside2 interface. Here is the commands I would use to allow smtp (mail) to flow.
access-list inside2-inbound permit tcp 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0 eq smtp
access-group inside2-inbound in interface inside2
Now mail will flow from inside2 to inside. By default, mail will flow from inside to inside2 becuase inside has a lower security setting than inside2.
It is a lot to put into a post. Post back any questions.
It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
Lets say that your inside interface has a security setting of 0 (default) and your inside2 has a security setting of 10. We also will assume that your outside interface has a security setting of 100 (default). You will need to create a static mapping between inside2 and inside. The easiest way to do this is to set it up to not use NAT or PAT, but rather act as a router (well kind of, but not really). Lets say that the inside network is 10.1.0.0/24 and the inside2 network is 10.2.0.0/24. Here is the command.
static (inside,inside2) 10.1.0.0 10.1.0.0 netmask 255.255.255.0 0 0
You will then need to create an access-list to allow the traffic you want from inside2 to inside and assign it to the inside2 interface. Here is the commands I would use to allow smtp (mail) to flow.
access-list inside2-inbound permit tcp 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0 eq smtp
access-group inside2-inbound in interface inside2
Now mail will flow from inside2 to inside. By default, mail will flow from inside to inside2 becuase inside has a lower security setting than inside2.
It is a lot to put into a post. Post back any questions.
It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
- Thread starter
- #4
computerhighguy
IS-IT--Management
That is correct. The inside interface (10.1.0.0) already has access to the inside2 interface (10.2.0.0). It seems a bit counter intuitive, but this is the way it is. I verified it with one of our production PIXs before I posted.
It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
- Status