From: mani poopal (mani_ccie@yahoo.com)
Date: Sat Dec 17 2005 - 13:52:07 GMT-3
Thanks for getting back to me, so if I use following commands, will I be able to initialte session from inside pc or session from outside pc. Pls look at earlier diagram in the original post. I am going to do in a test. The point is without configuring static will these command allow for session between both pc's
=========================================
nat (inside) 0 acl 101
acl 101 permit 10.20.1.0/24 10.10.1.0/24(inside to outside)
access-list inbound permit ip 10.10.1.0/24 10.20.1.0/24
access-group inbound in interface outside
access-list outbound permit ip 10.20.1.0/24 10.10.1.0/24
access-group outbound in interface inside
================================
in my earlier test I had
nat (inside) 0 10.20.1.0 255.255.255.0 not with access-list
thanks
Mani
"Griffith, Darlene Ms DOIM/IMSE-STW-IM" <darlene.griffith1@us.army.mil> wrote:
Make your nat 0 associate to an access-list. Then build that acces-list to
provide nat exemption in both directions. The list may seem a little odd in
that it won't be a true souce/destination. The source will always be the
inside address. There must also be a corresponding ACE in your inside (for
outbound exemption) and outside (for inbound) which will permit specific
ports/protocols.
--------------------------
Sent from my BlackBerry Wireless Handheld
Service provided by Ft.Stewart, GA
Home of the 3rd Infantry Division
-----Original Message-----
From: mani poopal
To: ccielab@groupstudy.com
Sent: Sat Dec 17 09:19:12 2005
Subject: OT: PIX INBOUND ACCESS
pc_A10.10.1.10/24----------------eo(10.10.1.1)PIX-----------------pc_B10.20.
1.10
e1(10.20.1.1)
Hi Guys,
I have a special requirment where pc_A must talk to pc_B without any
address translation. I made pc_B talk to pc_A but giving nat (inside) 0
10.20.1.0 255.255.255.0 command. I was able to ping from 10.20.1.10 to
10.10.1.10 and not the otherway around. I configred proper access-lists on
the pix and applied for communication and proper default gateway's for a pc.
The addresses we are talking here are private and nothing about internet
ip.s.
So my question, how can be make inbound connection(from 10.10.1.10 to
10.20.1.10) without andy address translation and without giving any
static/conduit commands. When 10.10.1.10 communicates with 10.20.1.10,
10.20.1.10 should see the packets coming from 10.10.1.10(NO ADDRESS
TRANSLATION is allowed). I couldn't find the desired config in the
cisco.com.
I DONT WANT TO USE static (inside, outside) 10.20.1.0 10.20.1.0 command
ps:guys eo is outside, e1 is inside and we are talking about access from
low security interface to high security interface.
thanks
Mani
B.ENG,MCSE,CCNP,CCSP,CCIE#14645
(416)431 9929
MANI_CCIE@YAHOO.COM
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3