From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Dec 19 2007 - 03:52:17 ART
Tim, I would suggest to first clear your dynamic configuration and test.
'clear configure nat' and 'clear configure global' should so it for ya, of
course backup your old config before you do this :).
The PIX/ASA has a strange criteria to evaluate translations once dynamic NAT
is configured, even if nat-control is disabled (which is the default
anyway).
Also try the 'packet-tracer' command with the input interface as inside, and
any two private subnets (that you want to hair-pin) as the source and
destination...and see what you get....if it gets stuck in the translation
rule check phase....you can do one of the following:
i) global (inside) 1 interface
ii) NAT exemption nat (inside) 0 access-list abc (note the 'zero' for NAT
exemption)
access-list abc permit ip <inside-subnet-1> <inside-subnet-2>
Regards
Farrukh
On Dec 19, 2007 9:17 AM, Tim Curci <timcurci@roadrunner.com> wrote:
> I am having trouble hairpinning to several private networks behing
> ethernet 1
> (security 100) on a PIX515E-UR running 8.0 code.
>
> I have enabled same-security-traffic permit intra-interface, nat-control
> is
> off and I have tried several versions of NAT including:
>
> nat (inside ) 1 0.0.0.0 0.0.0.0
> Global (outside) 1 interface
>
> nat (inside) 2 access-list xxx
> glocal (inside) 2 interface
>
> Any ideas?
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST