Re: PIX config problem

From: Michal Mertl (mime@kpnqwest.cz)
Date: Mon Jun 03 2002 - 07:30:49 EDT


On Mon, 3 Jun 2002, fingers wrote:

> Hi
>
> > I'm building IPsec VPN using PIX 515 as hub a 1751 a spokes. I want to
> > centralize all Internet access on PIX. I have 3 interfaces on the PIX -
> > private network of HQ, DMZ and external. I thought I would configure the
> > tunnels on PIX, the decrypted traffic would than be routed - when destined
> > for Internet PAT translated. It seems it may not be possible to configure
> > according to "Cisco Secure PIX Firewall FAQ" and question 'Can I operate
> > the PIX in a "one armed" configuration?'.
> >
> > The error I get is "106011: Deny inbound (No xlate)
> > icmp src outside:10.1.0.2 dst outside:aa.bb.cc.dd (type 8, code 0)".
>
> do you have a 'nat' statement for that block?
>
> 'show [nat/xlate]'?

The problem is something else - PIX won't pass traffic back into the
interface where it came from.

-- 
Michal Mertl
Specialist IP Service Development
KPNQwest Czechia s.r.o.
GTS Czech a.s.
Vinohradska 184
130 52 Praha 3
Tel.: +420 2 96157111
Fax: +420 2 96157444
e-mail: Michal.Mertl@kpnqwest.cz
____________________________________________
Počínaje datem 1.5. 2002 došlo k provoznímu
sloučení společností KPNQwest a GTS



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:58 EDT