[c-nsp] PIX 6x translation issue

Michael K. Smith - Adhost mksmith at adhost.com
Mon Jan 12 11:01:06 EST 2009


Hello William:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of William
> Sent: Monday, January 12, 2009 7:13 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX 6x translation issue
> 
> Hi there chaps,
> 
> I have a PIX running 6x software with 3 interfaces:
> 
> outside - sec0 (public IP address)
> inside - sec100 (10.1.1.253/24)
> office - sec90 (10.75.4.253/24)
> 
> 
> At the moment I have it configured so hosts on the inside interface
> can access the internet (natted to interface ip on outside) and access
> various networks over VPN (no nat). Hosts on the office network can
> also access the internet (natted the same as inside).
> 
> What I'm trying to figure out is how I can get hosts on the office
> network to access hosts on the inside network without their addresses
> being translated. I've built an access-list and applied it to the
> office interface which is straight forward and I've added the
> following static:
> 
access-list office-to-inside permit ip 10.75.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside-to-office permit ip 10.1.1.0 255.255.255.0 10.75.4.0 255.255.255.0
access-group inside-to-office in interface inside
access-group office-to-inside in interface office
nat (office) 0 access-list office-to-inside

You can tighten that down to a single host as you had in your example as well.

Regards,

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090112/504f4389/attachment.bin>


More information about the cisco-nsp mailing list