How to create access between VLANs on Cisco PIX Firewall 6.3(3)?

Hello,

I have a Cisco 515 running PIX Version 6.3(3).
There are configured different VLANs:

interface ethernet1 vlan2 pysical
interface ethernet 1 vlan3 logical
...
nameif ethernet1 inside security100
nameif vlan3 myvlan security80

each VLAN has a subnet of a Class-C private Network, and the PIX has on
each virtual Interfaces for the VLANs a distinct IP:

ip address inside 192.168.99.1 255.255.255.224
ip address myvlan 192.168.99.33 255.255.255.240

The routing is configured by itself:

firewall# show route
inside 192.168.99.0 255.255.255.224 192.168.99.1 1 CONNECT static
myvlan 192.168.99.32 255.255.255.240 192.168.99.33 1 CONNECT static

Now all devices in both networks have connection over their VLAN to the
firewall and over that to the internet.
But a device in the VLAN inside cannot access a device in the VLAN
myvlan, wich should be possible, because myvlan has a lower security level.
I even created a access-list, wich explicitly allows such an access:

access-list inside_acl permit ip 192.160.99.0 255.255.255.224 \
192.160.99.32 255.255.255.240
...
access-group inside_acl in interface inside

This acl gets an hit, when I try a connection from inside to myvlan, but
a debug shows, the packet comes inside the interface inside but never
leaves interface myvlan.
The connection is ssh, sshd is definitely running on the target but I
immediately get a connection refused, but not from the target but from
the firewall, wich a debug showed.

Has anyone experience with that and can help me?

Greetings

 

=?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=
: ip address inside 192.168.99.1 255.255.255.224
: ip address myvlan 192.168.99.33 255.255.255.240

:I even created a access-list, wich explicitly allows such an access:

: access-list inside_acl permit ip 192.160.99.0 255.255.255.224 \
: 192.160.99.32 255.255.255.240

Did you type that in for the posting, or copy it? Because there's
a consistant typo in it: 192.160.99 instead of 192.168.99

 

Type. It's a typo, 160 should be 168, of course.
That is not the error

Greetings

 

Well, i solved the Problem.

It was the NAT. Everything coming in I send through NAT, what doesn't
work for traffic from one VLAN on inside to another.
I created an ACL for the Traffic from VLAN 2 to VLAN 3:

access-list inside_myvlan_acl permit 192.168.99.0 255.255.255.224 \
192.168.99.32 255.255.255.240

And took that out of the NAT:

nat (inside) 0 access-list inside_myvlan_acl

and then access from the VLAN inside to the VLAN myvlan worked.

Greetings