cisco pix and vlan

- G
- GLT
  
  Contact options for registered users
posted
17 years ago

Fri, May 12, 2006 3:04 PM

Hello

I have 2 vlan's

first: inside security 100 (one of hosts: 192.168.1.10) second: caffe security 50 (one of hosts: 192.168.3.10)

I'm trying to allow people from vlan caffe to have access to specific IP (192.168.1.10) on inside

I did:

static (inside,caffe) 192.168.1.10 192.168.3.2 netmask 255.255.255.255 access-list caffe_to_inside permit ip 192.168.3.0 255.255.255.0 host

192.168.1.10 access-group caffe_to_inside in interface caffe

Everything works well but after that people from caffe don't have access to the Internet (outside interface security 0) Nat don't want to work.

Please help me solve my problem.

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, May 12, 2006 4:34 PM

That indicates that when a host in caffe addresses to 192.168.1.10, that the packet should be forwarded to the inside host 192.168.3.2 . Try reversing the IP addresses.

The pattern is always

static (INTERFACE1,INTERFACE2) IP2 IP1 netmask NETMASK

You could also do:

static (inside,caffee) 192.168.1.10 192.168.1.10 netmask 255.255.255.255

access-list nonat_inside permit host 192.168.1.10 192.168.3.0 255.255.255.0 nat (inside) 0 access-list nanat_inside

The differences between these choices have to do with which IP address the inside hosts have to send to, which IP address connections from the inside hosts to the dmz will show up as, and whether proxy-ARP is enabled.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.