How to create access between VLANs on Cisco PIX Firewall 6.3(3)?

Discussion in 'Cisco' started by =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 25, 2003.

  1. Hello,

    I have a Cisco 515 running PIX Version 6.3(3).
    There are configured different VLANs:

    interface ethernet1 vlan2 pysical
    interface ethernet 1 vlan3 logical
    ...
    nameif ethernet1 inside security100
    nameif vlan3 myvlan security80

    each VLAN has a subnet of a Class-C private Network, and the PIX has on
    each virtual Interfaces for the VLANs a distinct IP:

    ip address inside 192.168.99.1 255.255.255.224
    ip address myvlan 192.168.99.33 255.255.255.240

    The routing is configured by itself:

    firewall# show route
    inside 192.168.99.0 255.255.255.224 192.168.99.1 1 CONNECT static
    myvlan 192.168.99.32 255.255.255.240 192.168.99.33 1 CONNECT static

    Now all devices in both networks have connection over their VLAN to the
    firewall and over that to the internet.
    But a device in the VLAN inside cannot access a device in the VLAN
    myvlan, wich should be possible, because myvlan has a lower security level.
    I even created a access-list, wich explicitly allows such an access:

    access-list inside_acl permit ip 192.160.99.0 255.255.255.224 \
    192.160.99.32 255.255.255.240
    ...
    access-group inside_acl in interface inside

    This acl gets an hit, when I try a connection from inside to myvlan, but
    a debug shows, the packet comes inside the interface inside but never
    leaves interface myvlan.
    The connection is ssh, sshd is definitely running on the target but I
    immediately get a connection refused, but not from the target but from
    the firewall, wich a debug showed.

    Has anyone experience with that and can help me?

    Greetings
     
    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 25, 2003
    #1
    1. Advertisements

  2. =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=
    : ip address inside 192.168.99.1 255.255.255.224
    : ip address myvlan 192.168.99.33 255.255.255.240

    :I even created a access-list, wich explicitly allows such an access:

    : access-list inside_acl permit ip 192.160.99.0 255.255.255.224 \
    : 192.160.99.32 255.255.255.240

    Did you type that in for the posting, or copy it? Because there's
    a consistant typo in it: 192.160.99 instead of 192.168.99
     
    Walter Roberson, Nov 25, 2003
    #2
    1. Advertisements

  3. Type. It's a typo, 160 should be 168, of course.
    That is not the error :)

    Greetings
     
    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 26, 2003
    #3
  4. Well, i solved the Problem.

    It was the NAT. Everything coming in I send through NAT, what doesn't
    work for traffic from one VLAN on inside to another.
    I created an ACL for the Traffic from VLAN 2 to VLAN 3:

    access-list inside_myvlan_acl permit 192.168.99.0 255.255.255.224 \
    192.168.99.32 255.255.255.240

    And took that out of the NAT:

    nat (inside) 0 access-list inside_myvlan_acl

    and then access from the VLAN inside to the VLAN myvlan worked.

    Greetings
     
    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 27, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.