RE: Pix NIGHTMARE [7:17587]

Tue, 28 Aug 2001 22:49:57 -0700 

>From what I understand.  It looks like everything outside your PIX2 is
routable right?  Where does the VLAN 2 come into
play?  AS for VLAN 1 you usually want to keep that for management.  Also you
might want to try extended traces to port 80 to see what is happening there.
As for the VLANS getting NAT'ed the outside world doesn't know anything
about this, the only time this is going to cause problems is when possibly
the VLAN2 needs to talk to VLAN 3, do you have a rule so you don't PAT for
internal traffic?  I think it would be much easier on yourself if you did
all the PAT/NAT at one point, that way you can set up your ACL's along wtih
route-maps to take care of what needs to be NAT'ed/PAT'ed.  

HTH

1)  You can PAT a NAT'ed address, the FW doesn't care about the source
unless you are killing that particular IP range

2)  If you are running VLANs as you say, you could do all the PAT/NAT stuff
on the 7200

-----Original Message-----
From: traister blake [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 3:53 PM
To: [EMAIL PROTECTED]
Subject: Pix NIGHTMARE [7:17587]


OK...the scenario is this:

a pix 535 failover pair - so Im really only working with one...
an old pix (version 4)

2 Nic Cards in each.

Internet----pix1---cisco7200-----VLAN1(routable/24)-------|
                                  |                       |
                                VLAN2(192.168.yyy.yyy)----|
                                  |                       |
                                VLAN3(192.168.xxx.xxx)---pix2


Ok as if this was fuzzy enough....

The Inside network - VLAN1 needs to originate traffic to the outside.  This
appears to be working.  We cannot, however, get through port 80 which is
supposedly open at the pix.  We can PING the outside interface of pix 1, but
traceroutes die 2 hops before it and as I mentioned, port80 appears to be
closed.

In the mean time, VLAN3 needs to get out to the internet, so I have pix2
configured with a global pool of addresses and a static translation for the
4 servers on that vlan that are getting out.  Is it OK to go NAT from VLAN3
to VLAN1 then go through the firewall.  VLAN1 is technically doing PAT since
its from routable to routable...

Is this all making sense?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17591&t=17587
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to