Re: Problem with 3 interfaces on a PIX

Dirk Pfau Wed, 20 Feb 2002 02:08:57 -0800

what did you do at your configuration? what's about the static entry? looking at
your "static", you want to connect the printer at ip address y.y.y.10!

the priority of nat is:

nat (interface) 0 access-list .....
static(interface1,interface2) x.x.x.x y.y.y.y netmask z.z.z.z
nat (interface) 1...

your static entry will not work, because your access-list "inside2p1" includes
this translation.
you can fix it by using the acl below instead

access-list inside2p1 deny ip host z.z.z.10 any
access-list inside2p1 permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0

be careful! at an earlier version, "deny" at acl on "nat (interface) 0
access-list ..." was used as "permit". actual versions are ok.

for extending your acl p1 you got right hints from other people. (and the acl
looks like, you are using x.x.x.10 instead)

dirk

"Bruno F. Egger" wrote:

> access-list inside2p1 permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0
>
> nat (inside) 0 access-list inside2p1
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (p1) 1 0.0.0.0 0.0.0.0 0 0
>
> global (outside) 1 x.x.x.100 netmask 255.255.255.255
>
> static (inside,p1) y.y.y.10 z.z.z.10 netmask 255.255.255.255
>
> access-list p1 permit tcp y.y.y.y 255.255.255.0 host z.z.z.10 eq `printerport`
> access-list p1 deny any any

--
energis-ISION
Dirk Pfau
IP Network / iSecurity
Harburger Schlossstr. 1
D-21079 Hamburg

Fon: +49 40 77175-538

eMail: [EMAIL PROTECTED]
Web: http://www.energis-ision.com

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Re: Problem with 3 interfaces on a PIX

Reply via email to