khaledeshah
ISP
I have 2 different group of servers with different subnets & I want to put them in 2 different interfaces behind my PIX515 & let them connected without NAT, can I do this & how?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How can I do it?
- Thread starter khaledeshah
- Start date
- Status
dopehead
MIS
- Feb 20, 2003
- 467
Sure just put a nat 0 access-list command on both interfaces and define the acl that enables from one ip range to the other , something like this
net a: 192.168.1.0/24
nat b: 192.168.2.0/24
access-list nonat-a permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat-b permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat-a
nat (inside-b) 0 access-list nonat-b
Just remember that you can't communicate between two interfaces if you give them the same security level, and if you give one interface a lower sec level you need to do create and apply an acl on that interface to permit traffic started from that network like this :
access-list from_a_to_b permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
and apply it : access-group from_a_to_b in interface inside
Jan
Network Systems Engineer
CCNA/CQS/CCSP/Infosec
net a: 192.168.1.0/24
nat b: 192.168.2.0/24
access-list nonat-a permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat-b permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat-a
nat (inside-b) 0 access-list nonat-b
Just remember that you can't communicate between two interfaces if you give them the same security level, and if you give one interface a lower sec level you need to do create and apply an acl on that interface to permit traffic started from that network like this :
access-list from_a_to_b permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
and apply it : access-group from_a_to_b in interface inside
Jan
Network Systems Engineer
CCNA/CQS/CCSP/Infosec
- Thread starter
- #3
khaledeshah
ISP
Thks, but with the above commands can the outside users have access to the servers?
Identity nat affects outbound traffic, not inbound.
I'd use a static nat for the whole network:
static (inside-a,inside-b) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then, hosts on inside-b can see the hosts on inside-a, and traffic from a to b will maintain the original source address. You still need the ACL that dopehead mentioned.
For outside hosts to see them this way, they must have public addresses of course. Then do the same thing:
static (inside-a,outside) 192.168.1.0 192.168.1.0 ...
This plan opens up everything, possibly not just servers. I would suggest using multiple static nat's, or otherwise making sure that only your servers are translated in this way.
I'd use a static nat for the whole network:
static (inside-a,inside-b) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then, hosts on inside-b can see the hosts on inside-a, and traffic from a to b will maintain the original source address. You still need the ACL that dopehead mentioned.
For outside hosts to see them this way, they must have public addresses of course. Then do the same thing:
static (inside-a,outside) 192.168.1.0 192.168.1.0 ...
This plan opens up everything, possibly not just servers. I would suggest using multiple static nat's, or otherwise making sure that only your servers are translated in this way.
- Status
Similar threads
- Locked
- Question