From: john matijevic (john.matijevic@gmail.com)
Date: Fri Sep 16 2005 - 13:34:55 GMT-3
Hello Frank,
You do not need the conduit commands, make sure that you clear the xlate
table, you could have the old entry from before in there. If you require
additional assistance please contact offline.
Sincerely,
John
On 9/16/05, Frank Wells <fwells11@hotmail.com> wrote:
>
> Thanks for that John but it didn't help unfortunately. Do I need a
> matching conduit statement?
>
> I tried adding these conduits but still not working...
>
> conduit permit tcp host 206.170.226.193 <http://206.170.226.193> eq www
> any
> conduit permit tcp host 10.170.139.44 <http://10.170.139.44> eq www any
>
> -Frank
>
> >From: john matijevic <john.matijevic@gmail.com>
> >Reply-To: john matijevic <john.matijevic@gmail.com>
> >To: Frank Wells <fwells11@hotmail.com>
> >CC: ccielab@groupstudy.com
> >Subject: Re: PIX Nat0 exclusions
> >Date: Fri, 16 Sep 2005 12:01:59 -0400
> >
> >Hello Frank,
> >The issue has nothing to do with excluding that address from nonat, the
> >problem is with your configuration, you have:
> >static (inside,outside) 206.170.226.193 <http://206.170.226.193> <
> http://206.170.226.193/>
> >10.170.139.44 <http://10.170.139.44> <http://10.170.139.44/> netmask
> >255.255.255.255 <http://255.255.255.255> <http://255.255.255.255/> 0 0
> > should be:
> >static (inside,outside) 10.170.139.44 <http://10.170.139.44> <
> http://10.170.139.44>
> >206.170.226.193 <http://206.170.226.193><http://206.170.226.193>netmask
> >255.255.255.255 <http://255.255.255.255> <http://255.255.255.255/> 0 0
> > Sincerely,
> >John
> >
> > On 9/16/05, Frank Wells <fwells11@hotmail.com> wrote:
> > >
> > > I have just inherited a PIX that uses Nat0 becuase the company uses
> >public
> > > ip addressing on their LAN. I am in the middle of converting them over
> >to
> > > private (RFC 1918) addressing and have a subnet I now need to allow a
> > > static
> > > translation to. I have 4 internal subnets that I am using right now
> and
> > > the statements to give them Internet access are:
> > >
> > > nat (inside) 2 10.170.139.0 <http://10.170.139.0> <http://10.170.139.0
> >
> >255.255.255.0 <http://255.255.255.0><http://255.255.255.0>0 0
> > > nat (inside) 2 10.170.140.0 <http://10.170.140.0> <http://10.170.140.0
> >
> >255.255.255.0 <http://255.255.255.0><http://255.255.255.0>0 0
> > > nat (inside) 2 10.170.141.0 <http://10.170.141.0> <http://10.170.141.0
> >
> >255.255.255.0 <http://255.255.255.0><http://255.255.255.0>0 0
> > > nat (inside) 2 10.170.142.0 <http://10.170.142.0> <http://10.170.142.0
> >
> >255.255.255.0 <http://255.255.255.0><http://255.255.255.0>0 0
> > >
> > > I need to static the device on 10.170.139.44 <http://10.170.139.44> <
> http://10.170.139.44> to a
> > > public ip address. All
> > > the public address space is currently Nat0 but I need to use one of
> the
> > > addresses for the static nat.
> > >
> > > I tried using these statements but don't know why they work.
> > >
> > > For reference, here are the existing statements which Nat0 the
> exisiting
> > > address space:
> > >
> > > nat (inside) 0 access-list nonat
> > > access-list nonat permit ip 206.171.109.128 <http://206.171.109.128> <
> http://206.171.109.128>
> > > 255.255.255.128 <http://255.255.255.128> <http://255.255.255.128> any
> > > access-list nonat permit ip 206.170.226.128 <http://206.170.226.128> <
> http://206.170.226.128>
> > > 255.255.255.128 <http://255.255.255.128> <http://255.255.255.128> any
> > > access-list nonat permit ip 206.171.90.128 <http://206.171.90.128> <
> http://206.171.90.128>
> > > 255.255.255.192 <http://255.255.255.192> <http://255.255.255.192> any
> > >
> > > static (inside,outside) 206.170.226.193 <http://206.170.226.193> <
> http://206.170.226.193>
> > > 10.170.139.44 <http://10.170.139.44> <http://10.170.139.44> netmask
> > > 255.255.255.255 <http://255.255.255.255> <http://255.255.255.255> 0 0
> > > conduit permit tcp host 206.170.226.193 <http://206.170.226.193> <
> http://206.170.226.193> eq www
> > > any
> > >
> > > Once I get the web access working over the static nat I will nail it
> >down
> > > to
> > > specific source addresses but I can't even get wide open access to
> work.
> > >
> > > I can ping the 10.170.139.44 <http://10.170.139.44> <
> http://10.170.139.44> device from the PIX
> >so
> > > internal routing is
> > > working fine.
> > >
> > > My thoughts are that because the Ip address I want to use falls within
> >the
> > > Nat0 range it is causing a problem. Can I exclude it from the Nat0
> range
> > > and if so how?
> > >
> > > Could use some help please fellas...
> > >
> > > _________________________________________________________________
> > > Express yourself instantly with MSN Messenger! Download today - it's
> >FREE!
> > > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> >--
> >John Matijevic, CCIE #13254
> >U.S. Installation Group
> >Senior Network Engineer
> >954-969-7160 ext. 1147 (office)
> >305-321-6232 (cell)
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee(r)
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3