>Hello, >am i thinking things in the wrong direction. I hope someone of you can >give me a hint/advice.
>We are using a pix with lets say three interfaces. One interface connects >the pix to the outside (x.x.x.x), the other connects to a perimeter >network p1 (y.y.y.y) and the third connects to the internal network >(z.z.z.z). The users on the internal network should be able to connect to >external hosts as well as to hosts on the p1 network. The users on the p1 >network should be able to connect to external hosts and to network >printers, which are installed on the internal network. >To achive this i defined a nat and global pool for our internal users to >access the outside and a nat0 statement to access the hosts on the >p1 network. The users on the internal and the p1 network use the same >global pool to access external hosts. >access-list inside2p1 permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0 >nat (inside) 0 access-list inside2p1 >nat (inside) 1 0.0.0.0 0.0.0.0 0 0 >nat (p1) 1 0.0.0.0 0.0.0.0 0 0 >global (outside) 1 x.x.x.100 netmask 255.255.255.255 >So far the users are able to reach any "extneral" hosts as intended. Now >i defined a static map for the network printer, so the users on the p1 >network can connect to that printer. >static (inside,p1) y.y.y.10 z.z.z.10 netmask 255.255.255.255 >And there is my problem. When i establish an access-list on >the p1 interface that lets only the trafic for the network printer pass >into the internal network, users on the p1 network are unable to access >any outside host. That's because your last acl is a deny any any my sugestions is something like this: static (inside,p1) y.y.y.10 z.z.z.10 netmask 255.255.255.255 access-list p1 permit tcp y.y.y.y 255.255.255.0 host z.z.z.10 eq `printerport` access-list p1 deny ip any host z.z.z.10 access-list p1 permit ip any any Regards BF _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
