From: john matijevic (john.matijevic@gmail.com)
Date: Fri Sep 16 2005 - 13:01:59 GMT-3
Hello Frank,
The issue has nothing to do with excluding that address from nonat, the
problem is with your configuration, you have:
static (inside,outside) 206.170.226.193 <http://206.170.226.193/>
10.170.139.44 <http://10.170.139.44/> netmask
255.255.255.255 <http://255.255.255.255/> 0 0
should be:
static (inside,outside) 10.170.139.44 <http://10.170.139.44>
206.170.226.193<http://206.170.226.193>netmask
255.255.255.255 <http://255.255.255.255/> 0 0
Sincerely,
John
On 9/16/05, Frank Wells <fwells11@hotmail.com> wrote:
>
> I have just inherited a PIX that uses Nat0 becuase the company uses public
> ip addressing on their LAN. I am in the middle of converting them over to
> private (RFC 1918) addressing and have a subnet I now need to allow a
> static
> translation to. I have 4 internal subnets that I am using right now and
> the statements to give them Internet access are:
>
> nat (inside) 2 10.170.139.0 <http://10.170.139.0>
255.255.255.0<http://255.255.255.0>0 0
> nat (inside) 2 10.170.140.0 <http://10.170.140.0>
255.255.255.0<http://255.255.255.0>0 0
> nat (inside) 2 10.170.141.0 <http://10.170.141.0>
255.255.255.0<http://255.255.255.0>0 0
> nat (inside) 2 10.170.142.0 <http://10.170.142.0>
255.255.255.0<http://255.255.255.0>0 0
>
> I need to static the device on 10.170.139.44 <http://10.170.139.44> to a
> public ip address. All
> the public address space is currently Nat0 but I need to use one of the
> addresses for the static nat.
>
> I tried using these statements but don't know why they work.
>
> For reference, here are the existing statements which Nat0 the exisiting
> address space:
>
> nat (inside) 0 access-list nonat
> access-list nonat permit ip 206.171.109.128 <http://206.171.109.128>
> 255.255.255.128 <http://255.255.255.128> any
> access-list nonat permit ip 206.170.226.128 <http://206.170.226.128>
> 255.255.255.128 <http://255.255.255.128> any
> access-list nonat permit ip 206.171.90.128 <http://206.171.90.128>
> 255.255.255.192 <http://255.255.255.192> any
>
> static (inside,outside) 206.170.226.193 <http://206.170.226.193>
> 10.170.139.44 <http://10.170.139.44> netmask
> 255.255.255.255 <http://255.255.255.255> 0 0
> conduit permit tcp host 206.170.226.193 <http://206.170.226.193> eq www
> any
>
> Once I get the web access working over the static nat I will nail it down
> to
> specific source addresses but I can't even get wide open access to work.
>
> I can ping the 10.170.139.44 <http://10.170.139.44> device from the PIX so
> internal routing is
> working fine.
>
> My thoughts are that because the Ip address I want to use falls within the
> Nat0 range it is causing a problem. Can I exclude it from the Nat0 range
> and if so how?
>
> Could use some help please fellas...
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3