David, I am sorry for the slow response. I had my nose down in development and didn’t see this one.
Well the question says to do 200.13.122.12 as the static nat statement for the switch but that is irrelevant The configuration you have below should work fine. Labed it up with no problems PIX(config)# sh run | inc static|global|nat global (outside) 1 200.13.122.1-200.13.122.48 global (outside) 1 200.13.122.49 global (inside) 2 172.16.111.6 nat (outside) 2 200.13.6.0 255.255.255.0 outside nat (inside) 1 172.16.111.0 255.255.255.0 static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255 norandomsequence PIX(config)# %PIX-7-609001: Built local-host outside:200.13.6.6 %PIX-7-609001: Built local-host inside:172.16.111.12 %PIX-6-305011: Built dynamic ICMP translation from outside:200.13.6.6/24 to inside:172.16.111.6/6 %PIX-6-302020: Built ICMP connection for faddr 200.13.6.6/24 gaddr 200.13.112.100/0 laddr 172.16.111.12/0 %PIX-6-302020: Built ICMP connection for faddr 200.13.6.6/24 gaddr 200.13.112.100/0 laddr 172.16.111.12/0 %PIX-6-302021: Teardown ICMP connection for faddr 200.13.6.6/24 gaddr 200.13.112.100/0 laddr 172.16.111.12/0 %PIX-6-302021: Teardown ICMP connection for faddr 200.13.6.6/24 gaddr 200.13.112.100/0 laddr 172.16.111.12/0 %PIX-7-609002: Teardown local-host inside:172.16.111.12 duration 0:00:02 Did you have a route on the PIX pointing to R2 for the 200.13.6.0/24 network, or a default pointing to R2? That would be the only thing that I can think of that would have stopped this from working. Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. A Cisco Learning Partner - We Accept Learning Credits! Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: HYPERLINK "mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED] IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bowley, David Sent: Sunday, January 20, 2008 1:35 PM To: Bowley, David; [email protected] Subject: Re: [OSL | CCIE_Security] section 17 2.3 Does anyone have any advice for the below? Thanks _____ From: Bowley, David Sent: 12 January 2008 16:48 To: '[email protected]' Subject: section 17 2.3 Hi For Section 17 I am trying to enable outside NAT on the PIX to allow VLAN 6 to be able to communicate to CAT1 so that any traffic from VLAN 6 is translated to an address on VLAN 111. I have added the following to enable this: Nat (outside) 2 200.13.6.0 255.255.255.0 outside Global (inside) 2 172.16.111.6 I have also allowed ICMP through on the PIX to anywhere but receive the following debug message on the PIX when pinging from R6 inside interface: %PIX-3-305005: No translation group found for icmp src outside:200.13.6.6 dst inside:172.16.111.12 >From the previous steps in the section I have added the following: global (outside) 1 200.13.122.1-200.13.122.48 global (outside) 1 200.13.122.49 nat (inside) 1 172.16.111.0 255.255.255.0 static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255 and it seems that these commands are causing the problems with the above outside nat command. Once I remove nat (inside) 1 172.16.111.0 255.255.255.0 and static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255 I am able to ping from VLAN 6(R6 inside interface) to VLAN 111(CAT1) OK. The outside nat doesn’t look achievable on two parts. Firstly, the static (inside,outside) that is configured and secondly the nat (inside) commands seem to confuse the outside nat. Is there a way around this or can outside NAT only be used when there isn’t a static NAT or nat (inside) command already configured for an address that you are trying to communicate with. Thanks in advance David ********************************************************************** DISCLAIMER: This correspondence may contain information which is confidential or proprietary or both. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. If you are not the intended recipient you may not disclose, copy or use this information. If you have received this message in error, please contact the sender to discuss its return or destruction. The contents, comments and views contained or expressed within this correspondence do not necessarily reflect those of Redstone, its subsidiaries, affiliates, associates or sister companies and are not intended to create legal relations with the recipient. Redstone may monitor email traffic data and also the content of email for the purposes of security and staff training. If you would like to know more about Redstone, visit us on the web at HYPERLINK "http://www.redstone.co.uk/"www.redstone.co.uk or contact our Head Office on 0845-200-2200. Redstone Converged Solutions Limited Registered in England & Wales with Company Number: 3476733 Registered Office: 80 Great Eastern Street, London EC2A 3RS ********************************************************************** No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.11/1243 - Release Date: 1/25/2008 11:24 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.11/1243 - Release Date: 1/25/2008 11:24 AM
