You will need to add a line or lines to your p1 access-list to permit the connections you wish to allow. For example:
access-list p1 permit tcp y.y.y.y 255.255.255.0 any or being more restrictive: access-list p1 permit tcp y.y.y.y 255.255.255.0 any eq www HTH Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bruno F. Egger Sent: Tuesday, February 19, 2002 10:23 AM To: [EMAIL PROTECTED] Subject: Problem with 3 interfaces on a PIX --Resent Hello, am i thinking things in the wrong direction. I hope someone of you can give me a hint/advice. We are using a pix with lets say three interfaces. One interface connects the pix to the outside (x.x.x.x), the other connects to a perimeter network p1 (y.y.y.y) and the third connects to the internal network (z.z.z.z). The users on the internal network should be able to connect to external hosts as well as to hosts on the p1 network. The users on the p1 network should be able to connect to external hosts and to network printers, which are installed on the internal network. To achive this i defined a nat and global pool for our internal users to access the outside and a nat0 statement to access the hosts on the p1 network. The users on the internal and the p1 network use the same global pool to access external hosts. access-list inside2p1 permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0 nat (inside) 0 access-list inside2p1 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (p1) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 x.x.x.100 netmask 255.255.255.255 So far the users are able to reach any "extneral" hosts as intended. Now i defined a static map for the network printer, so the users on the p1 network can connect to that printer. static (inside,p1) y.y.y.10 z.z.z.10 netmask 255.255.255.255 And there is my problem. When i establish an access-list on the p1 interface that lets only the trafic for the network printer pass into the internal network, users on the p1 network are unable to access any outside host. access-list p1 permit tcp y.y.y.y 255.255.255.0 host z.z.z.10 eq `printerport` access-list p1 deny any any Any sugesstions how to overcome this? TIA _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
