Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two Inside Interfaces talking to each other

Status
Not open for further replies.
BigTomD

BigTomD

Technical User
May 21, 2008
7
US
I am trying to get 2 inside interfaces on a PIX 515E to talk to one another. (These networks need to have any-any type connectivity to each other)
I know on 7.X all you should have to do is create them with the same security level and do a:
same-security-traffic permit inter-interface

However, I am running 6.3 and cant upgrade due to memory to 7.X
Here is what I have

ETH0 Outside interface (nat pool) security level 0 (X.X.X.X – Outside/Internet)
ETH1 Inside interface security level 100 (192.168.5.0/24) (Inside space 1)
ETH1 Inside2 interface (VLAN3) security level 99 (192.168.6.0/23) (Inside space 2)

I can get the inside (192.168.5.X) to talk to inside2 (192.168.6.X) by doing a
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.254.0
nat (inside) 0 access-list inside_outbound_nat0_acl

But I can’t for the life of me get inside2 (192.168.6.X) to talk to inside (192.168.5.X)
 
Sort by date Sort by votes
Do you have an access list applied to the Inside2 interface?

You can use policy nat or use a static. Either way you will need to allow the traffic in on the lower security level interface with an access list.

 
Upvote 0 Downvote
No I don't have any access list on the inside2 interface.
I don't want to do a nat translation. I have tried to do:
access-list inside2_outbound_nat0_acl permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
nat (inside2) 0 access-list inside2_outbound_nat0_acl

But that did not work.

What I want to do is basically route between the two interfaces...
 
Upvote 0 Downvote
You have to have an access-list on the inside2 interface in order for traffic to flow.

access-list acl_inside2 permit ip any any
access-group acl_inside2 in interface inside2

 
Upvote 0 Downvote
Thanks so much....

I am still stuck...
Here is my initial/scrubbed configuration:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 inside2 security99
/
/SNIP Password,hostname,domain name,clock, fixup stuff/
/
names
access-list 101 permit ip any any
/
/SNIP pager,Logging,mtu stuff/
/
ip address outside XXX.YYY.ZZZ.2 255.255.255.0
ip address inside 192.168.5.254 255.255.255.0
ip address inside2 192.168.7.254 255.255.254.0
/
/SNIP IP audit,pdm,arp timeout stuff/
/
global (outside) 1 XXX.YYY.ZZZ.20-XXX.YYY.ZZZ.245
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 1 192.168.6.0 255.255.254.0 0 0
/
/SNIP outside to inside statics/
/
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.1 1
/
/SNIP timeouts,AAA,http,snmp,floodguard,telnet,ssh,console stuff/
/
: end


Using this I can
Go from inside to outside
Go from inside2 to outside
However, I can not go from inside2 to inside or vice versa..

I added the following:
access-list inside2_outbound_nat0_acl permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
nat (inside2) 0 access-list inside2_outbound_nat0_acl
access-list acl_inside2 permit ip any any
access-group acl_inside2 in interface inside2

No change in connectivity..

Thanks again...
Tom...
 
Upvote 0 Downvote
You nat 0 ACL appears to be incorrect:

access-list inside2_outbound_nat0_acl permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0
ip address inside2 192.168.7.254 255.255.254.0

should be:

access-list inside2_outbound_nat0_acl permit ip 192.168.5.0 255.255.254.0 192.168.7.0 255.255.254.0

 
Upvote 0 Downvote
Thanks so much for the help but I still dont have it working. I am missing something here (besides my brain). From what I see it should work....'
Here is the pix config...

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 inside2 security99
/SNIP/
names
access-list 101 permit ip any any
access-list inside2_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.254.0
access-list acl_inside2 permit ip any any
/SNIP/
ip address outside XXX.YYY.ZZZ.2 255.255.255.0
ip address inside 192.168.5.254 255.255.255.0
ip address inside2 192.168.7.254 255.255.254.0
/SNIP/
global (outside) 1 XXX.YYY.ZZZ.20-XXX.YYY.ZZZ.245
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 0 access-list inside2_outbound_nat0_acl
nat (inside2) 1 192.168.6.0 255.255.254.0 0 0
/SNIP/
access-group 101 in interface outside
access-group acl_inside2 in interface inside2
route outside 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.1 1
/SNIP/
: end


Again, I really appreciate the assistance.
Tom
 
Upvote 0 Downvote
The default nature of a pix is that traffic can't go out the port in came in. I don't believe you can make two vlans talk on the same port.
 
Upvote 0 Downvote
For a vlan interface that rule wouldnt apply here I dont think. I still see that the nat 0 ACL appears to be incorrect.


access-list inside2_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.254.0

ip address inside 192.168.5.254 255.255.255.0
ip address inside2 192.168.7.254 255.255.254.0

nat (inside2) 1 192.168.6.0 255.255.254.0 0 0

You have .6.x in your nat and match acl 0 and .7.x on your interface. Do you have routes off of inside2 that you are not showing?


 
Upvote 0 Downvote
Sorry bout that. Did even notice. Was just figuring class C.

If you dont have logging enabled can you enable it?

logging buffered 6

Also do a "debug icmp trace"

Start a constant ping from a inside2 host to a inside host


Let the messages run, kill the ping. Copy the data from the screen and also do a "sh log". Post both here.

 
Upvote 0 Downvote
Can do. I will have to wait till tuesday when I get in to work..

Again, Thanks for the help...
 
Upvote 0 Downvote
Thanks for the pointers what I ended up doing that worked was:
access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
access-group inside2_vlan3_access_in in interface inside2_vlan3
static (inside,inside2_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
access-list inside2_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any
 
Upvote 0 Downvote
Did you rename the interface? inside2_vlan3


So looks like you went static vs policy nat. Im curious why you couldnt get it working. Maybe Ill lab it up and see what went wrong. Glad to see your good to go now.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
950
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
323
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
906
nnaarrnn
nnaarrnn
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
188
handle2110
handle2110

Part and Inventory Search

Sponsor

Back
Top