cogit
asked on
setup ACL from lower th higher on PIX
want to setup ACL from lower to higher security on PIX for entire network. The following syntax that I used does not work.
access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0
access-group from-vlan34-coming-vlan64 in interface vlan34
access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0
access-group from-vlan34-coming-vlan64 in interface vlan34
ASKER
no ... Is that all required?
Yes. If you are going from lower to higher, you have to have an xlate. The syntax I posted really just bypasses NAT between those two interfaces, but it has to be there. Notice that it is the higher security IP subnet that is there..
ASKER
My mistake is that 10.30.34.0 is the lower int and 10.30.64.0 is the higher
vlan 34 security30
vlan64 security70
so i should do the following
static (vlan64,vlan34) 10.30.64.0 10.30.64.0 netmask 255.255.255.0
access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0
access-group from-vlan34-coming-vlan64 in interface vlan34
vlan 34 security30
vlan64 security70
so i should do the following
static (vlan64,vlan34) 10.30.64.0 10.30.64.0 netmask 255.255.255.0
access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0
access-group from-vlan34-coming-vlan64 in interface vlan34
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think i'm following you . 10.30.34.0/24 security level 30 , requires ssh http, and icmp to machines on the 10.30.64.0 network which is a higher security level. Can you run that sample back again because when I apply it , the 10.30.34.0 network cannot even ping out to the internet and fails to ping 10.30.64.0 network
ASKER
I got it working but I think I need to add a acl that allows acces to the internet.
ASKER
access-list from_vlan34_coming_vlan64 permit ip any any
i think this worked
i think this worked
static (vlan34,vlan64) 10.30.34.0 10.30.34.0 netmask 255.255.255.0