David,

I am sorry for the slow response.  I had my nose down in development and
didn’t see this one.

 

Well the question says to do 200.13.122.12 as the static nat statement for
the switch but that is irrelevant

 

The configuration you have below should work fine.

 

Labed it up with no problems

 

PIX(config)# sh run | inc static|global|nat

global (outside) 1 200.13.122.1-200.13.122.48

global (outside) 1 200.13.122.49

global (inside) 2 172.16.111.6

nat (outside) 2 200.13.6.0 255.255.255.0 outside

nat (inside) 1 172.16.111.0 255.255.255.0

static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255
norandomsequence

PIX(config)#

%PIX-7-609001: Built local-host outside:200.13.6.6

%PIX-7-609001: Built local-host inside:172.16.111.12

%PIX-6-305011: Built dynamic ICMP translation from outside:200.13.6.6/24 to
inside:172.16.111.6/6

%PIX-6-302020: Built ICMP connection for faddr 200.13.6.6/24 gaddr
200.13.112.100/0 laddr 172.16.111.12/0

%PIX-6-302020: Built ICMP connection for faddr 200.13.6.6/24 gaddr
200.13.112.100/0 laddr 172.16.111.12/0

%PIX-6-302021: Teardown ICMP connection for faddr 200.13.6.6/24 gaddr
200.13.112.100/0 laddr 172.16.111.12/0

%PIX-6-302021: Teardown ICMP connection for faddr 200.13.6.6/24 gaddr
200.13.112.100/0 laddr 172.16.111.12/0

%PIX-7-609002: Teardown local-host inside:172.16.111.12 duration 0:00:02

 

Did you have a route on the PIX pointing to R2 for the 200.13.6.0/24
network, or a default pointing to R2?  That would be the only thing that I
can think of that would have stopped this from working.

 

Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444 
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  HYPERLINK "mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED]

 

IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.


 

   _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bowley,
David
Sent: Sunday, January 20, 2008 1:35 PM
To: Bowley, David; [email protected]
Subject: Re: [OSL | CCIE_Security] section 17 2.3

 

Does anyone have any advice for the below?

 

Thanks

 

   _____  

From: Bowley, David 
Sent: 12 January 2008 16:48
To: '[email protected]'
Subject: section 17 2.3

 

 

Hi 

 

For Section 17 I am trying to enable outside NAT on the PIX to allow VLAN 6
to be able to communicate to CAT1 so that any traffic from VLAN 6 is
translated to an address on VLAN 111.

I have added the following to enable this:

 

Nat (outside) 2 200.13.6.0 255.255.255.0 outside

Global (inside) 2 172.16.111.6

 

I have also allowed ICMP through on the PIX to anywhere but receive the
following debug message on the PIX when pinging from R6 inside interface:

%PIX-3-305005: No translation group found for icmp src outside:200.13.6.6
dst inside:172.16.111.12

 

>From the previous steps in the section I have added the following:

global (outside) 1 200.13.122.1-200.13.122.48

global (outside) 1 200.13.122.49

nat (inside) 1 172.16.111.0 255.255.255.0

static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255

 

and it seems that these commands are causing the problems with the above
outside nat command.

 Once I remove nat (inside) 1 172.16.111.0 255.255.255.0 and

static (inside,outside) 200.13.112.100 172.16.111.12 netmask 255.255.255.255
I am able to ping from VLAN 6(R6 inside interface) to VLAN 111(CAT1) OK.

 

The outside nat doesn’t look achievable on two parts. Firstly, the static
(inside,outside) that is configured and secondly the nat (inside) commands
seem to confuse the outside nat.

 

Is there a way around this or can outside NAT only be used when there isn’t
a static NAT or nat (inside) command already configured for an address that
you are trying to communicate with.

 

Thanks in advance

 

David

 

 

 

 

 

**********************************************************************
DISCLAIMER:
This correspondence may contain information which is confidential or
proprietary or both.  Any dissemination, distribution, copying or use of
this communication without prior permission of the addressee is strictly
prohibited. If you are not the intended recipient you may not disclose, copy
or use this information.  If you have received this message in error, please
contact the sender to discuss its return or destruction.


The contents, comments and views contained or expressed within this
correspondence do not necessarily reflect those of Redstone, its
subsidiaries, affiliates, associates or sister companies and are not
intended to create legal relations with the recipient.


Redstone may monitor email traffic data and also the content of email for
the purposes of security and staff training. 


If you would like to know more about Redstone, visit us on the web at
HYPERLINK "http://www.redstone.co.uk/"www.redstone.co.uk or contact our Head
Office on 0845-200-2200.


Redstone Converged Solutions Limited 
Registered in England & Wales with Company Number: 3476733
Registered Office: 80 Great Eastern Street, London EC2A 3RS
**********************************************************************


No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.11/1243 - Release Date: 1/25/2008
11:24 AM



No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.11/1243 - Release Date: 1/25/2008
11:24 AM
 

Reply via email to