But doesn't NAT 0 stop nat for whatever is defined afterwards?
If I remember right, and I just might not, I used it when I wanted to
avoid NAT on VPN traffic. I would defined VPN traffic with an access-list
and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic.
Dude, I still can't figure out why Gurugrasad's config won't work. Got me
totally bummed out.
Theo
"Jay Dunn"
Sent by: [EMAIL PROTECTED]
10/15/2002 05:59 PM
Please respond to "Jay Dunn"
To: [EMAIL PROTECTED]
cc:
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.
Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all,
I am giving the configuration.
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
What is that companion command ? Please help
Regards
Guruprasad
-----Original Message-----
From: Theodore Stout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.
Can you access from the Outside? Try it and see.
Can you print out the config without the real IPs? You need to have a
companion command to the Static command and I would like to see if you
have it.
Cheers,
Theo
"Guruprasad Sanjeevi"
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"
To: [EMAIL PROTECTED]
cc:
bcc:
Subject: With PIX unable to reach DMZ from LAN [7:55608]
Hi group,
I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.
LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x
Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this
Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.
Please help....
Thanks
Guruprasad
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
&i=55608&t=55608
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
=
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55621&t=55608
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
