From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Dec 19 2007 - 04:07:34 ART
Tim, check your email(s) dated sept 27th.
You asked the same question back then, and I can see that I gave a similar
reply and I remember your private message to confirm that putting the global
command solved the issue :)
Cielieska, I think before 7.2.x the 'same-security-traffic permit
intra-interface' command required at least one leg of the traffic to be VPN
traffic, but that was changed in later releases.
Now both legs can be clear-text traffics and this is exactly what Tim is
trying to achieve here.
The problem is just how Cisco PIX/ASA handles NAT (even with nat-control
disabled). Once you have a dynamic NAT on any high-security interface (lets
say inside going to outside for internet traffic), now even for inside >>
dmz communication you need to have translation rules (or exemptions). This
is documented on CCO tough:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1065218
They also have a nice diagram to explain this :)
HTH
Farrukh
On Dec 19, 2007 9:43 AM, Cielieska Nathan <ncielieska@gmail.com> wrote:
> Tim,
>
> I would be hard pressed if what your trying to do is doable. If i'm
> hearing you right your looking to send traffic from one internal
> subnet for internet traffic/external and then another selectively use
> an access-list to translate back into your private network. This is
> atleast what i'm reading from the config.
>
> The same-security-traffic permit intra-interface is usually used
> exclusively for client tunnel traffic need to terminate into the
> device then route to the internet.
>
> I have done something similar on the ASA but you basically have SVI's
> on the newer ASA's to bridge between. Cisco has big problems with
> sending traffic to a PIX, then sending right back out an interface in
> essence becoming a router and this can only happen in selective cases.
>
> Maybe a little more detail would help.
>
> Also - Wasn't aware a 515 could run 8.0 code, is this new?
>
> Nate
> On Dec 19, 2007, at 1:17 AM, Tim Curci wrote:
>
> > I am having trouble hairpinning to several private networks behing
> > ethernet 1
> > (security 100) on a PIX515E-UR running 8.0 code.
> >
> > I have enabled same-security-traffic permit intra-interface, nat-
> > control is
> > off and I have tried several versions of NAT including:
> >
> > nat (inside ) 1 0.0.0.0 0.0.0.0
> > Global (outside) 1 interface
> >
> > nat (inside) 2 access-list xxx
> > glocal (inside) 2 interface
> >
> > Any ideas?
> >
> > ______________________________________________________________________
> > _
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST