[c-nsp] PIX 6x translation issue
Tony
td_miles at yahoo.com
Mon Jan 12 17:08:09 EST 2009
Hi William,
You're close I think...
--- On Tue, 13/1/09, William <willay at gmail.com> wrote:
> From: William <willay at gmail.com>
> Subject: [c-nsp] PIX 6x translation issue
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Tuesday, 13 January, 2009, 2:12 AM
> Hi there chaps,
>
> I have a PIX running 6x software with 3 interfaces:
>
> outside - sec0 (public IP address)
> inside - sec100 (10.1.1.253/24)
> office - sec90 (10.75.4.253/24)
>
>
> What I'm trying to figure out is how I can get hosts on
> the office
> network to access hosts on the inside network without their
> addresses
> being translated. I've built an access-list and applied
> it to the
> office interface which is straight forward and I've
> added the
> following static:
>
> static (office,inside) 10.75.4.0 10.75.4.0 netmask
> 255.255.255.0 0 0
>
I believe you need "static (inside, office)".
> However I'm not getting any connectivity, so I added:
>
> access-list office_outbound_nat0_acl permit ip host
> 10.75.4.1 10.1.1.0
> 255.255.255.0
> nat (office) 0 access-list office_outbound_nat0_acl
If you create the static properly, you won't need the "nat 0" statement.
You need to remember the rules:
* If you want to allow OUTSIDE hosts in, then use "static" + "acl" commands.. This also allows INSIDE hosts out using the same static if it's applicable and ACL's allow it.
* If you want to allow INSIDE hosts out, then use "global" + "nat" commands..
I'm using OUTSIDE & INSIDE to refer to generic lower or higher security interfaces.
I've probably confused you now, this document explains it a lot better:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
regards,
Tony.
More information about the cisco-nsp
mailing list