Route-Maps and PIX

Discussion in 'Cisco' started by Wil Schultz, Nov 12, 2006.

  1. Wil Schultz

    Wil Schultz Guest

    I have a situation where I have 3 networks on a L3 switch and would like
    to have them all access each other via the switch and use VLAN'd
    interfaces off of the PIX with different globals. Here's a quick rundown
    (written by hand, please excuse any syntax errors :D ):

    l3 switch:
    vlan 10: net1
    vlan 20: net2
    vlan 30: net3

    !
    interface vlan 10
    ip address 192.168.10.1 255.255.255.0
    ip policy route-map netone
    !
    !
    interface vlan 20
    ip address 192.168.20.1 255.255.255.0
    ip policy route-map nettwo
    !
    !
    interface vlan 30
    ip address 192.168.30.1 255.255.255.0
    ip policy route-map netthree
    !
    access-list 110 permit ip any any
    access-list 120 permit ip any any
    access-list 130 permit ip any any
    !
    route-map netone
    match ip address 110
    set ip next-hop 192.168.10.254
    !
    route-map nettwo
    match ip address 120
    set ip next-hop 192.168.20.254
    !
    route-map netthree
    match ip address 130
    set ip next-hop 192.168.30.254
    !

    pixfw:

    !
    interface ethernet1 vlan10 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan30 logical
    !
    ip address vlan10 192.168.10.254
    ip address vlan20 192.168.20.254
    ip address vlan30 192.168.30.254
    !
    nat (vlan10) 1 0 0
    nat (vlan20) 2 0 0
    nat (vlan30) 3 0 0
    !
    global (outside) 1 1.1.1.1
    global (outside) 2 1.1.1.2
    global (outside) 3 1.1.1.3
    !


    So, net1 should be able to see net2 and net3 via the switch. I can tweak
    the ACL's for this to work but for now I don't see how to assign
    different global's for each subnet while traversing the pix. I've been
    able to configure these but the logs show me that all nats are being
    xlated to the global1 address. Has anyone done this before?
     
    Wil Schultz, Nov 12, 2006
    #1
    1. Advertising

  2. * Wil Schultz <> wrote:
    > I have a situation where I have 3 networks on a L3 switch and would like
    > to have them all access each other via the switch and use VLAN'd
    > interfaces off of the PIX with different globals. Here's a quick rundown
    > (written by hand, please excuse any syntax errors :D ):


    Why not create a single transfer net from the switch to the pix and
    pointing the default route to it?

    I dont see any advantage of putting the pix in each VLAN, because you do
    plain routing between all VLANs on the switch without filtering
    traffic.

    On the pix, you nat to different global addresses based on the source
    address:

    nat (inside) 1 192.168.10.0 255.255.255.0
    nat (inside) 2 192.168.20.0 255.255.255.0
    nat (inside) 3 192.168.30.0 255.255.255.0

    global (outside) 1 1.1.1.1
    global (outside) 2 1.1.1.2
    global (outside) 3 1.1.1.3
     
    Christian Zeng, Nov 12, 2006
    #2
    1. Advertising

  3. Wil Schultz

    Brian V Guest

    "Wil Schultz" <> wrote in message
    news:4556d196$0$88653$...
    >I have a situation where I have 3 networks on a L3 switch and would like to
    >have them all access each other via the switch and use VLAN'd interfaces
    >off of the PIX with different globals. Here's a quick rundown (written by
    >hand, please excuse any syntax errors :D ):
    >
    > l3 switch:
    > vlan 10: net1
    > vlan 20: net2
    > vlan 30: net3
    >
    > !
    > interface vlan 10
    > ip address 192.168.10.1 255.255.255.0
    > ip policy route-map netone
    > !
    > !
    > interface vlan 20
    > ip address 192.168.20.1 255.255.255.0
    > ip policy route-map nettwo
    > !
    > !
    > interface vlan 30
    > ip address 192.168.30.1 255.255.255.0
    > ip policy route-map netthree
    > !
    > access-list 110 permit ip any any
    > access-list 120 permit ip any any
    > access-list 130 permit ip any any
    > !
    > route-map netone
    > match ip address 110
    > set ip next-hop 192.168.10.254
    > !
    > route-map nettwo
    > match ip address 120
    > set ip next-hop 192.168.20.254
    > !
    > route-map netthree
    > match ip address 130
    > set ip next-hop 192.168.30.254
    > !
    >
    > pixfw:
    >
    > !
    > interface ethernet1 vlan10 physical
    > interface ethernet1 vlan20 logical
    > interface ethernet1 vlan30 logical
    > !
    > ip address vlan10 192.168.10.254
    > ip address vlan20 192.168.20.254
    > ip address vlan30 192.168.30.254
    > !
    > nat (vlan10) 1 0 0
    > nat (vlan20) 2 0 0
    > nat (vlan30) 3 0 0
    > !
    > global (outside) 1 1.1.1.1
    > global (outside) 2 1.1.1.2
    > global (outside) 3 1.1.1.3
    > !
    >
    >
    > So, net1 should be able to see net2 and net3 via the switch. I can tweak
    > the ACL's for this to work but for now I don't see how to assign different
    > global's for each subnet while traversing the pix. I've been able to
    > configure these but the logs show me that all nats are being xlated to the
    > global1 address. Has anyone done this before?



    I haven't much with VLAN's on a Pix or ASA, so this might not even be
    possible by why can't you specify what subnets belong to each nat statement.
    ie
    nat (vlan10) 1 192.168.10.0 255.255.255.0
    nat (vlan20) 2 192.168.20.0 255.255.255.0
    nat (vlan30) 3 192.168.30.0 255.255.255.0

    If they need to be done on the "inside" interface
    nat (inside) 1 192.168.10.0 255.255.255.0
    nat (inside) 2 192.168.20.0 255.255.255.0
    nat (inside) 3 192.168.30.0 255.255.255.0
     
    Brian V, Nov 12, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain
    Replies:
    5
    Views:
    671
    Ivan Ostres
    Jun 28, 2004
  2. yoorio

    static NAT and route-maps

    yoorio, Jul 26, 2006, in forum: Cisco
    Replies:
    0
    Views:
    3,999
    yoorio
    Jul 26, 2006
  3. Mark
    Replies:
    1
    Views:
    420
  4. Ralph Fox

    MSN maps vs. Google maps

    Ralph Fox, Jul 30, 2007, in forum: NZ Computing
    Replies:
    0
    Views:
    583
    Ralph Fox
    Jul 30, 2007
  5. Replies:
    9
    Views:
    5,151
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page