I have a situation where I have 3 networks on a L3 switch and would like to have them all access each other via the switch and use VLAN'd interfaces off of the PIX with different globals. Here's a quick rundown (written by hand, please excuse any syntax errors :D ):
l3 switch: vlan 10: net1 vlan 20: net2 vlan 30: net3
! interface vlan 10 ip address 192.168.10.1 255.255.255.0 ip policy route-map netone ! ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ip policy route-map nettwo ! ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ip policy route-map netthree ! access-list 110 permit ip any any access-list 120 permit ip any any access-list 130 permit ip any any ! route-map netone match ip address 110 set ip next-hop 192.168.10.254 ! route-map nettwo match ip address 120 set ip next-hop 192.168.20.254 ! route-map netthree match ip address 130 set ip next-hop 192.168.30.254 !
pixfw:
! interface ethernet1 vlan10 physical interface ethernet1 vlan20 logical interface ethernet1 vlan30 logical ! ip address vlan10 192.168.10.254 ip address vlan20 192.168.20.254 ip address vlan30 192.168.30.254 ! nat (vlan10) 1 0 0 nat (vlan20) 2 0 0 nat (vlan30) 3 0 0 ! global (outside) 1 1.1.1.1 global (outside) 2 1.1.1.2 global (outside) 3 1.1.1.3 !
So, net1 should be able to see net2 and net3 via the switch. I can tweak the ACL's for this to work but for now I don't see how to assign different global's for each subnet while traversing the pix. I've been able to configure these but the logs show me that all nats are being xlated to the global1 address. Has anyone done this before?