Re: OT: PIX INBOUND ACCESS

From: mani poopal (mani_ccie@yahoo.com)
Date: Sat Dec 17 2005 - 15:06:34 GMT-3

• Next message: Gustavo Novais: "set metric on route-map applied to OSPF distribute-list"
• Previous message: my-ccie-test@libero.it: "Rate-limit question"
• Maybe in reply to: mani poopal: "OT: PIX INBOUND ACCESS"
• Next in thread: "Griffith: "RE: OT: PIX INBOUND ACCESS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks a lot it works,
   
  so there is a differnet between
  nat (inside) 0 10.20.0.0
  &
  nat (inside) 0 access-list nonat
  access-list nonat permit ip 10.20.0.0/24 10.10.0.0/24
   
  tks
   
  Mani

"Griffith, Darlene Ms DOIM/IMSE-STW-IM" <darlene.griffith1@us.army.mil> wrote:
  Make your nat 0 associate to an access-list. Then build that acces-list to
provide nat exemption in both directions. The list may seem a little odd in
that it won't be a true souce/destination. The source will always be the
inside address. There must also be a corresponding ACE in your inside (for
outbound exemption) and outside (for inbound) which will permit specific
ports/protocols.
--------------------------
Sent from my BlackBerry Wireless Handheld

Service provided by Ft.Stewart, GA
Home of the 3rd Infantry Division

-----Original Message-----
From: mani poopal
To: ccielab@groupstudy.com
Sent: Sat Dec 17 09:19:12 2005
Subject: OT: PIX INBOUND ACCESS

pc_A10.10.1.10/24----------------eo(10.10.1.1)PIX-----------------pc_B10.20.
1.10
e1(10.20.1.1)

Hi Guys,

I have a special requirment where pc_A must talk to pc_B without any
address translation. I made pc_B talk to pc_A but giving nat (inside) 0
10.20.1.0 255.255.255.0 command. I was able to ping from 10.20.1.10 to
10.10.1.10 and not the otherway around. I configred proper access-lists on
the pix and applied for communication and proper default gateway's for a pc.
The addresses we are talking here are private and nothing about internet
ip.s.
So my question, how can be make inbound connection(from 10.10.1.10 to
10.20.1.10) without andy address translation and without giving any
static/conduit commands. When 10.10.1.10 communicates with 10.20.1.10,
10.20.1.10 should see the packets coming from 10.10.1.10(NO ADDRESS
TRANSLATION is allowed). I couldn't find the desired config in the
cisco.com.
I DONT WANT TO USE static (inside, outside) 10.20.1.0 10.20.1.0 command
ps:guys eo is outside, e1 is inside and we are talking about access from
low security interface to high security interface.

thanks

Mani

B.ENG,MCSE,CCNP,CCSP,CCIE#14645
(416)431 9929
MANI_CCIE@YAHOO.COM

• Next message: Gustavo Novais: "set metric on route-map applied to OSPF distribute-list"
• Previous message: my-ccie-test@libero.it: "Rate-limit question"
• Maybe in reply to: mani poopal: "OT: PIX INBOUND ACCESS"
• Next in thread: "Griffith: "RE: OT: PIX INBOUND ACCESS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3