[c-nsp] PIX questions
Gregori Parker
Gregori.Parker at theplatform.com
Mon May 12 13:34:41 EDT 2008
I was hoping to see an answer to this, as I ran into what I believe to
be a similar situation a while back.
We had an ASA at an edge, with several static identity NATs, e.g.:
static (inside,outside) x.x.x.78 172.16.8.44 netmask
255.255.255.255
static (inside,outside) x.x.x.79 172.16.8.45 netmask
255.255.255.255
...
Where x.x.x.* are public addresses, and an access-list allows specific
services from anywhere to each public NAT. All outgoing traffic is
PATed to the interface address, say x.x.x.80, and I'm not clear on how
to enable a host on the inside to communicate with an identity NAT on
the outside...essentially the ASA would be doubling up on translations,
one outgoing, to one inbound...looping back to itself so-to-speak. It
doesn't work, and I understand why, but I've wondered if there's a way
to enable this (other than having the hosts communicate directly). I've
looked at things like permitting same-security-traffic
inter/intra-interface to no avail.
Thanks in advance (and sorry if I woke a dead thread)
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan
Sent: Friday, May 09, 2008 12:05 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX questions
Hi all,
I have a question about PIX translation
An outside interface has IP address:
192.168.1.2 255.255.255.0
An DMZ interface has IP address:
10.1.1.2 255.255.255.0
Current translation:
10.1.1.3 -> 192.168.1.3
10.1.1.4 -> 192.168.1.4
How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"?
How can I make it so that anyone behind 10.1.1.0/24 network is able to
ping the IP "192.168.1.4"?
Consider the ICMP is allowed any any.
I tried to configure it but the ASDM log say
"Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside"
Thank you for your help in advance.
Regards,
Rudy
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list