By default all traffic from a higher level security zone is passed to a lower level zone. So all traffic from your inside interface should already go to all other interfaces without out your intervention. For the other interfaces, you will want to apply access-lists on your interfaces that allow all traffic. To start you can try these
access-list 101 extended permit ip any any access-list 101 extended permit icmp any any
You will then need to apply the access-list to your interfaces: access-group 101 in interface intf2 access-group 101 in interface intf3 access-group 101 in interface intf4
Try that and see how it works for you. Just remember that the PIX is not technically a router and generally isn't used for one. I understand what you are trying to do, it just might not be as functional as you would like.
You will also need to change you security levels on the interfaces to be different from one another. In the 6.x version of code on the PIX, interfaces with the same security level cannot talk to each other no matter how you have the ACL's configured. Just make the the security levels something like 100, 80, 60, 40, 20, and 0 for the outside and then apply your ACL's.
For all the networks that terminate on the PIX, the routing would work with nat0 and different security levels. But not a suggested way of doing stuff, say if there is another network which is not directly connected and you expect the PIX to do the routing, ain't gonna work!
access-list nonat_inside permit ip any any access-list nonat_intf2 permit ip any any access-list nonat_intf3 permit ip any any access-list nonat_intf4 permit ip any any access-list nonat_intf5 permit ip any any
! Traffic flow ACL's
access-list outside_access_in permit ip any any access-list outside_access_in permit icmp any any access-list intf2_access_in permit ip any any access-list intf2_access_in permit icmp any any access-list intf3_access_in permit ip any any access-list intf3_access_in permit icmp any any access-list intf4_access_in permit ip any any access-list intf4_access_in permit icmp any any access-list intf5_access_in permit ip any any access-list intf5_access_in permit icmp any any
! Apply the traffic flow ACL's to the interfaces
access-group outside_access_in in interface outside access-group intf2_access_in in interface intf2 access-group intf3_access_in in interface intf3 access-group intf4_access_in in interface intf4 access-group intf5_access_in in interface intf5
I used ACL's for the NAT exemption just to give some granularity of control over future NAT changes in case the administrator wants to change how the NAT exemption works without affecting too much traffic.
I would make one final statement that this is a very non-standard way of configuring the PIX. I've never used the PIX as simply a L3 device like this, but I believe this scenario would work as outlined above. I didn't lab this up at all, but this is how I would start out going about implementing this scenario.
Thx for your time and advise it was very helpfull ... I had your code to my config but with this addon i cant ping from a computer connected in Outside to a Computer connected in Intf2... I activated the debug command for Ping and ping dont cross pix from an interface to an other...
I will try some command...I'm waithing for your suggestion...
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto interface ethernet4 auto interface ethernet5 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security80 nameif ethernet3 intf3 security60 nameif ethernet4 intf4 security40 nameif ethernet5 intf5 security20 enable password g3vEEd4RfX2v6ff2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname 9494-St-Laurent domain-name xxx fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list nonat_inside permit ip any any access-list nonat_intf2 permit ip any any access-list nonat_intf3 permit ip any any access-list nonat_intf4 permit ip any any access-list nonat_intf5 permit ip any any access-list outside_access_in permit ip any any access-list outside_access_in permit icmp any any access-list intf2_access_in permit ip any any access-list intf2_access_in permit icmp any any access-list intf3_access_in permit ip any any access-list intf3_access_in permit icmp any any access-list intf4_access_in permit ip any any access-list intf4_access_in permit icmp any any access-list intf5_access_in permit ip any any access-list intf5_access_in permit icmp any any mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 no ip address outside ip address inside 192.168.210.2 255.255.255.0 ip address intf2 x.x.x.1 255.255.255.248 ip address intf3 x.x.x.9 255.255.255.248 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 arp timeout 14400 access-group outside_access_in in interface outside access-group intf2_access_in in interface intf2 access-group intf3_access_in in interface intf3 access-group intf4_access_in in interface intf4 access-group intf5_access_in in interface intf5 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7969533f2b44f82110f60292be9a74f0 : end
Try adding this line and then ping from the outside to a host on intf2:
access-list intf2_access_in permit icmp any any echo-reply
You will probaby want to add that line to the other ACL's as well to let the ping replies come back...I thought that the "permit icmp any any" would take care of that, but I seem to remember trying that once before and I had to explicitly allow ICMP type "echo-reply".
