Re: PIX Nat0 exclusions

From: Frank Wells (fwells11@hotmail.com)
Date: Fri Sep 16 2005 - 13:25:50 GMT-3

• Next message: john matijevic: "Re: PIX Nat0 exclusions"
• Previous message: Nawaz, Ajaz: "RE: Internet Router"
• Maybe in reply to: Frank Wells: "PIX Nat0 exclusions"
• Next in thread: john matijevic: "Re: PIX Nat0 exclusions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for that John but it didn't help unfortunately. Do I need a
matching conduit statement?

I tried adding these conduits but still not working...

conduit permit tcp host 206.170.226.193 eq www any
conduit permit tcp host 10.170.139.44 eq www any

-Frank

>From: john matijevic <john.matijevic@gmail.com>
>Reply-To: john matijevic <john.matijevic@gmail.com>
>To: Frank Wells <fwells11@hotmail.com>
>CC: ccielab@groupstudy.com
>Subject: Re: PIX Nat0 exclusions
>Date: Fri, 16 Sep 2005 12:01:59 -0400
>
>Hello Frank,
>The issue has nothing to do with excluding that address from nonat, the
>problem is with your configuration, you have:
>static (inside,outside) 206.170.226.193 <http://206.170.226.193/>
>10.170.139.44 <http://10.170.139.44/> netmask
>255.255.255.255 <http://255.255.255.255/> 0 0
> should be:
>static (inside,outside) 10.170.139.44 <http://10.170.139.44>
>206.170.226.193<http://206.170.226.193>netmask
>255.255.255.255 <http://255.255.255.255/> 0 0
> Sincerely,
>John
>
> On 9/16/05, Frank Wells <fwells11@hotmail.com> wrote:
> >
> > I have just inherited a PIX that uses Nat0 becuase the company uses
>public
> > ip addressing on their LAN. I am in the middle of converting them over
>to
> > private (RFC 1918) addressing and have a subnet I now need to allow a
> > static
> > translation to. I have 4 internal subnets that I am using right now and
> > the statements to give them Internet access are:
> >
> > nat (inside) 2 10.170.139.0 <http://10.170.139.0>
>255.255.255.0<http://255.255.255.0>0 0
> > nat (inside) 2 10.170.140.0 <http://10.170.140.0>
>255.255.255.0<http://255.255.255.0>0 0
> > nat (inside) 2 10.170.141.0 <http://10.170.141.0>
>255.255.255.0<http://255.255.255.0>0 0
> > nat (inside) 2 10.170.142.0 <http://10.170.142.0>
>255.255.255.0<http://255.255.255.0>0 0
> >
> > I need to static the device on 10.170.139.44 <http://10.170.139.44> to a
> > public ip address. All
> > the public address space is currently Nat0 but I need to use one of the
> > addresses for the static nat.
> >
> > I tried using these statements but don't know why they work.
> >
> > For reference, here are the existing statements which Nat0 the exisiting
> > address space:
> >
> > nat (inside) 0 access-list nonat
> > access-list nonat permit ip 206.171.109.128 <http://206.171.109.128>
> > 255.255.255.128 <http://255.255.255.128> any
> > access-list nonat permit ip 206.170.226.128 <http://206.170.226.128>
> > 255.255.255.128 <http://255.255.255.128> any
> > access-list nonat permit ip 206.171.90.128 <http://206.171.90.128>
> > 255.255.255.192 <http://255.255.255.192> any
> >
> > static (inside,outside) 206.170.226.193 <http://206.170.226.193>
> > 10.170.139.44 <http://10.170.139.44> netmask
> > 255.255.255.255 <http://255.255.255.255> 0 0
> > conduit permit tcp host 206.170.226.193 <http://206.170.226.193> eq www
> > any
> >
> > Once I get the web access working over the static nat I will nail it
>down
> > to
> > specific source addresses but I can't even get wide open access to work.
> >
> > I can ping the 10.170.139.44 <http://10.170.139.44> device from the PIX
>so
> > internal routing is
> > working fine.
> >
> > My thoughts are that because the Ip address I want to use falls within
>the
> > Nat0 range it is causing a problem. Can I exclude it from the Nat0 range
> > and if so how?
> >
> > Could use some help please fellas...
> >
> > _________________________________________________________________
> > Express yourself instantly with MSN Messenger! Download today - it's
>FREE!
> > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>--
>John Matijevic, CCIE #13254
>U.S. Installation Group
>Senior Network Engineer
>954-969-7160 ext. 1147 (office)
>305-321-6232 (cell)
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: john matijevic: "Re: PIX Nat0 exclusions"
• Previous message: Nawaz, Ajaz: "RE: Internet Router"
• Maybe in reply to: Frank Wells: "PIX Nat0 exclusions"
• Next in thread: john matijevic: "Re: PIX Nat0 exclusions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3