Pix 506E How to configure NAT and ACL

You can have VLANs talk to each other easily if they are set to the same security level and you use "same-security-traffic permit intra-interface" along with a NoNat ACL permitting these Vlans to talk to each other...  

Access-list nonat1 extended permit ip 130.11.0.1 255.255.0.0 130.12.0.1 255.255.0.0
Access-list nonat1 extended permit ip 130.11.0.1 255.255.0.0 130.10.0.1 255.255.0.0
Access-list nonat1 extended permit ip 130.10.0.1 255.255.0.0 130.11.0.1 255.255.0.0

nat (inside) 0 access-list nonat1
nat (XXXXX) 0 access-list nonat1
nat (OSCAR) 0 access-list nonat1

Thanks MikeKane.
The commands are not accepted by the PIX. Vlan2 is assigned as physical so has a level security of 100 and as far as i understood i cannot give a security level of 100 to a logical interface, means Vlan2 will never have the same security level as the other Vlan.

Can we first configure the Pix to allow any traffic within the same Vlan?
For example:
I would like that all the IPs in vlan3 (130.11.0.0) are able to access any servers and services on vlan3.

>> I would like that all the IPs in vlan3 (130.11.0.0) are able to access any servers and services on vlan3.

I think thats a typo - would you clarify?

In Vlan3 i have a PC with IP 130.11.0.25 /16 that cannot access a server with IP 130.11.0.99 /16 and both have the same gateway 130.11.0.1.
There is no software firewall activated. Even a ping is not responding. So i would like that all the PCs in that Vlan is able to access that server on the same Vlan. How to setup the Pix 506E to let the traffic going within the same Vlan?

I found out that if my server is on Vlan2 with the IP 130.10.0.99 /16 and my PC on 130.10.0.25 /16 with gateway 130.10.0.1, then i can access the server. The only difference i see is Vlan2 is configured as physical and Vlan3 as logical. If Vlan2 is configured as logical i cannot access the internet, seems to be a cisco pix specification.

Traffic for that VLAN should not be hitting the ASA at all.    That traffic from 130.11.0.25 to 130.11.0.99 would be found using an ARP broadcast then directed traffic to the MAC.   The PIX does not come into play there are all since traffic would not be leaving the subnet.    What device are they plugged into.. hub, switch?  Is that hub switch uplinked to the ASA?  Is the device manageable?

Well it is a PIX 506E version 6.3(5) plugged into a switch Netgear FS726T. It is a manageable switch.

Since both the 0.25 host and the 0.99 host should both be plugged into the netgear, then disconnect the netgear from the firewall and try to ping the units.    This should work since they are on the same IP subnet and physical segment.   If it does not, then there is an issue with the connection at the netgear.

Well i don't understand it, it is now working with the pix pugged in. I can ping it. Thanks for the time spent on it.

With the changes i made, my current config is:
Vlan2: 130.10.0.0 /16
Vlan3: 130.11.0.0 /16

I want Vlan2 to access Vlan3 on any ports / any protocols / any IPs and Vlan3 to access only specific ports on 130.10.0.150. What do i have to set up in order to achieve this?

To make this happen, you can have all vlan 2 hosts nat into vlan 3, and have vlan 3 hosts use a static back into vlan 2 because vlan 2 has a higher security interface level.  


So part 1, since there are no access lists restricting the flow from higher security to lower security, all you should need is this:

"global (XXXXX) 1 interface"

That will allow any vlan 2 host to translate to the vlan 3 interface IP and communicate (just like a nat device going to the internet).


Now to have VLAN 3 access 130.10.0.150 on VLAN 2, we open a static, then allow the ports inbound.  

static (inside,XXXXX) 130.11.0.150 130.10.0.150 netmask 255.255.255.255
access-list XXXXX_in extended permit tcp any host 130.11.0.150 eq www
access-list XXXXX_in extended permit tcp any host 130.11.0.150 eq https
access-group XXXXX_in in interface XXXXX

Those commands open a translation from the lower security interface to the higher one.   I create an access list to allow ports 80 and 443 into the host, then apply the access list to the VLAN3 interface to allow the traffic.    Any host on VLAN 3 can now hit IP 130.11.0.150 on port 80, the ASA will translate that automatically and deliver to the destination address 130.10.0.150 in the secured VLAN.  

Thanks MikeKane. I can't do it right now. As soon as i can i tell you how it is going on. But with your explanations, i am feeling that will be OK.

Very good.... I'll wait for your tests.

I appreciate a lot the explanation you gave me but i am lost... Can you have a look at my PIX configuration and tell me the ACL i have to do in order to have Vlan2 to have full access to Vlan3, and Vlan3 to have access for example to WWW and PING on server 130.10.0.150

Thanks for your patience.

NW-PIX(config)# sh config
: Saved
: Written by enable_15 at 06:34:31.976 UTC Fri Jan 1 1993
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
interface ethernet1 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 NW-HOME security50
nameif vlan4 OS-OSCAR security50
enable password fdG9PSr3IeUwRf5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NW-PIX
domain-name no-ware
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.252 255.255.255.0
ip address inside 130.10.0.1 255.255.0.0
ip address NW-HOME 130.11.0.1 255.255.0.0
ip address OS-OSCAR 130.12.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (NW-HOME) 1 interface
global (OS-OSCAR) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (NW-HOME) 1 0.0.0.0 0.0.0.0 0 0
nat (OS-OSCAR) 1 0.0.0.0 0.0.0.0 0 0
static (inside,NW-HOME) 130.10.0.150 130.10.0.150 netmask 255.255.255.255 0 0
static (inside,OS-OSCAR) 130.10.0.150 130.10.0.150 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4ef6eb99de9d208855a8df3b4c70d6fe

Remove these with:

no static (inside,NW-HOME) 130.10.0.150 130.10.0.150 netmask 255.255.255.255 0 0
no static (inside,OS-OSCAR) 130.10.0.150 130.10.0.150 netmask 255.255.255.255 0 0



Add these:

static (inside,NW-HOME) 130.11.0.150 130.10.0.150 netmask 255.255.255.255 0 0
access-list nw-home_in extended permit tcp any host 130.11.0.150 eq www
access-list nw-home_in extended permit tcp any host 130.11.0.150 eq https
access-group nw-home_in in interface NW-HOME

But 130.11.0.150 does not exist... does that means it is a translated IP and i will not be able to use this IP for another server?

That's correct.   A machine in NW-HOME would use http://130.11.0.150.   The PIX would pick up the packet, see that it has a STATIC entry for that IP, basically re-address the packet, and send it to the inside network.       That's how the communication from a lower security interface to the higher security interface works.  

130.11.0.150 should not be used for any local host.


Will that not solve your issue?

Thanks for the explanation. I suppose that technically it will solve my problem, but this configuration is not satisfactory. Let me explain.

On Vlan2 i will have the following servers:
- Active Directory (130.10.0.150)
- Terminal server (130.10.0.50)
- Web server (130.10.0.10)

On Vlan3:
- Terminal server (130.11.0.50)
- Web server (130.11.0.10)

And so on... I want to use the same IP temination for all identical servers (same roles) on different Vlan. The only Vlan that will need to have full access to the others is Vlan2.

Is there any way you can move these 2 subnets to logical VLANs, that way both can share the Same security level?   That makes sharing very easy....

I tried that way first both vlan as logical, but could not end with any connectivity. That's why an expert told me to setup the Vlan2 as physical.

MikeKane,
Thanks for your help. Finally i got some configuration working as i wanted. Now i am able to do the following:
From VLAN2 (130.10.0.0):
- Access is OK to any host with any protocol on any ports on Vlan3
- Access is OK to the internet

From VLAN3 (130.11.0.0):
- Access is OK to any host with any protocol on any ports on Vlan3
- Access is OK to the internet

This is my first time working with a firewall and a manageable switch... it looks to me very complicated.
Can you help me with the 2nd part.
I would like now that server 130.11.0.24 can ping server 130.10.0.25.
Here is the PIX config:

NW-PIX(config)# sh config
: Saved
: Written by enable_15 at 00:23:47.631 UTC Fri Jan 1 1993
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
interface ethernet1 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 NW-HOME security50
nameif vlan4 OS-OSCAR security50
enable password fdG9PSr3IeUwRf5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NW-PIX
domain-name no-ware
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 130.10.0.150 NW-AD1
name 130.10.0.101 NW-VC1
name 130.10.0.10 NW-TS1
name 130.11.0.24 HO-MMX
name 130.12.0.10 OS-TS1
name 130.10.0.25 JPW7
access-list NW-HOME_access_in permit ip any any
access-list OS-OSCAR_access_in permit ip any any
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.252 255.255.255.0
ip address inside 130.10.0.1 255.255.0.0
ip address NW-HOME 130.11.0.1 255.255.0.0
ip address OS-OSCAR 130.12.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 130.10.0.0 255.255.255.255 inside
pdm location JPW7 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (NW-HOME) 1 interface
global (OS-OSCAR) 1 interface
nat (inside) 1 130.10.0.0 255.255.0.0 0 0
nat (NW-HOME) 1 130.11.0.0 255.255.0.0 0 0
nat (OS-OSCAR) 1 130.12.0.0 255.255.0.0 0 0
access-group NW-HOME_access_in in interface NW-HOME
access-group OS-OSCAR_access_in in interface OS-OSCAR
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:0ea33553e68ec570e4abd1eb75db87c5

Cisco's how to on allowing pings to the inside network is here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Basically, you create a static map from the inside and then allow icmp to that IP.

For you, it would be :
static (nw-home,inside) 130.10.0.25 130.11.0.<1-254>  netmask 255.255.255.255
access-list NW-HOME_access_in permit icmp any any


From 130.11.0.24, you can now ping that address in the static line "130.11.0.<1-254>" and get a reply from 130.10.0.25.      

This is not working:
static (nw-home,inside) 130.10.0.25 130.11.0.<1-254>  netmask 255.255.255.255

That rule: "access-list NW-HOME_access_in permit icmp any any" is already included in "access-list NW-HOME_access_in permit ip any any" am i wrong?

I already visited the link you sent me and many more, that's why i am asking in EE, because i am not able to get it right and all those documentations are confusing me. Please HELP me.

In this rule: static (nw-home,inside) 130.10.0.25 130.11.0.<1-254>  netmask 255.255.255.255
 the <1-254> was meant that you should pick one of the IPs from 1 to 254.  Pick one that is free.

And add the icmp rule as well.

I have these rules:
access-list NW-HOME_access_in permit ip any any
access-list NW-HOME_access_in permit icmp any any
access-list OS-OSCAR_access_in permit ip any any

I tried with the following static commands:
static (nw-home,inside) 130.10.0.25 130.11.0.59  netmask 255.255.255.255 => .59 not in used in the network
static (nw-home,inside) 130.10.0.25 130.11.0.24  netmask 255.255.255.255 => .24 is the machine i am initiating the ping.

In both cases i have ping time out.

From 130.11.0.24, you are pinging 130.11.0.59 correct?   And this is giving you no response, correct?  

No. From 130.11.0.24 i want to ping 130.10.0.25

Using those statics, if you ping the ip 130.11.0.59 it will static NAT into 130.10.0.25 using the static from above.    True, your machine is not pinging, the *address* 130.10.0.25. but the icmp packets will reach it regardless and you will get a reply.

"Using those statics, if you ping the ip 130.11.0.59 it will static NAT into 130.10.0.25 using the static from above.    True, your machine is not pinging, the *address* 130.10.0.25. but the icmp packets will reach it regardless and you will get a reply." =>  This is not working. And if it was, it is not the result i am expecting. I do not want to have a table with the IPs in use and it's corresponding IPs for the traffic.

If i want to ping 130.10.0.25, i want to type "ping 130.10.0.25" and not any other IP.

YESSSSSSSSSSSSSSSSSSS !!!! This is it !!! It is exactly what i was looking for !!!

First thing, THANKS for the answer.
Second, I think you could have gave me the answer earlier if you had read with attention my post.
Third, Now i have new stuff to learn about but the right answer you gave me helps me to understand some (i suppose) basics of Cisco Pix.