From: Paul Dardinski (pauld@marshallcomm.com)
Date: Thu Dec 20 2007 - 07:59:53 ART
Yes, exemption would be the choice. I had meant using identity just to
confirm he could get the intra-interface working.
PD (#16842)
-----Original Message-----
From: SAMARTH [mailto:samarth_04@hotmail.com]
Sent: Wednesday, December 19, 2007 8:54 AM
To: Paul Dardinski; 'Tim Curci'; ccielab@groupstudy.com
Subject: RE: same-security-traffic permit intra-interface
Wouldn't Nat exemption work better instead of identity Nat?
Best Wishes,
C SAMARTH
CCIE #18535
CCSP CCNP CCNA
MCSE MCSD SCSA1
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Paul
Dardinski
Sent: Wednesday, December 19, 2007 1:18 PM
To: Tim Curci; ccielab@groupstudy.com
Subject: RE: same-security-traffic permit intra-interface
Tim,
The NAT config you have defined will only affect traffic going
inter-interface (inside-outside). The issue is that you have enabled nat
for
all inside to translate to outside. You don't list the contents of your
acl,
but no matter what since you have defined nat for all interior paths (0
0),
you most likely are dropping your intra-interface traffic. One
possibility
is to use identity nat for the intra-interface traffic and that should
fix
your issue.
PD (#16842)
-----Original Message-----
From: nobody@groupstudy.com on behalf of Tim Curci
Sent: Wed 12/19/2007 1:17 AM
To: ccielab@groupstudy.com
Cc:
Subject: same-security-traffic permit intra-interface
I am having trouble hairpinning to several private networks
behing
ethernet 1
(security 100) on a PIX515E-UR running 8.0 code.
I have enabled same-security-traffic permit intra-interface,
nat-control is
off and I have tried several versions of NAT including:
nat (inside ) 1 0.0.0.0 0.0.0.0
Global (outside) 1 interface
nat (inside) 2 access-list xxx
glocal (inside) 2 interface
Any ideas?
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST