the idea of glenn is fine, but the interface "real" has a lower security level than "inside". therefore you must replace
nat (real) 0 access-list real by nat (inside) 0 access-list real your "global" entry for interface "real" is another way, depending on you, what ever you want. dirk Johnny Gonzalez wrote: > Thanks, i resolve the problem with the next line. > > global (real) 1 q.w.r.4 > > And the users in inside see the user in the real. > > i use PAT > > the lines of nat in real is in use. > > On Wed, 2002-01-09 at 18:32, Glenn Shiffer wrote: > > Get rid of: > > > > nat (real) 0 q.w.r.5 255.255.255.255 0 0 > > nat (real) 0 q.w.r.6 255.255.255.255 0 0 > > nat (real) 0 q.w.r.7 255.255.255.255 0 0 > > > > Instead use: > > > > nat (real) 0 access-list real > > > > access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5 > > 255.255.255.255 > > access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.6 > > 255.255.255.255 > > access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.7 > > 255.255.255.255 > > > > You can tighten these as you need after you get things working. > > > > And, while you're at it, why these two lines? > > > > conduit permit tcp any range 1024 65535 any > > conduit permit udp any range 1024 65535 any > > > > You may want to have a look at: > > > > http://www.cisco.com/warp/public/707/index.shtml#IOS > > > > > > Glenn > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Johnny Gonzalez > > Sent: Wednesday, January 09, 2002 6:01 PM > > To: bob bobing > > Cc: Lista de firewall > > Subject: Re: forwarding in interfaces ethernet > > > > I no use syslog. > > I have this configuration in my pix: > > > > > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 real security10 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > ip address outside x.y.z.130 255.255.255.192 > > ip address inside 10.10.10.1 255.255.255.0 > > ip address real q.w.r.1 255.255.255.0 > > global (outside) 1 a.b.c.1-a.b.c.253 netmask 255.255.255.0 > > global (outside) 1 a.b.c.254 netmask 255.255.255.0 > > nat (inside) 1 10.10.10.0 255.255.255.0 0 0 > > nat (real) 0 q.w.r.5 255.255.255.255 0 0 > > nat (real) 0 q.w.r.6 255.255.255.255 0 0 > > nat (real) 0 q.w.r.7 255.255.255.255 0 0 > > conduit permit icmp any any > > conduit permit tcp any range 1024 65535 any > > conduit permit udp any range 1024 65535 any > > > > > > Thanks for your help me. > -- > Johnny Gonzalez Dominguez > Ingenieria de Software > Telecable Morelos > Cuernavaca, Morelos > Tel. (52)(777)3292475 > [EMAIL PROTECTED] > [EMAIL PROTECTED] > ICQ #75046976 > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
