nopes, ther is no inside ACL.
Its strange, when i remove
access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0
255.255.255.0
nat (inside) 0 access-list nonat
than i able to ping the cust2 private ip but unable to browse (means
nothing is happening, every port is blocked like 80,21,23,etc)
when i apply this configuration, than i am able to browse the internet(now
every port is opened) but unable to ping or get to the rmote side
Hope you get me.
Regards,
Manoj
On Fri, Oct 9, 2009 at 7:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
> You could do a show xlate, but at this point from what you�ve posted, it
> should be able to get out to Internet fine. Might want to verify what your
> DNS settings are and possibly any inside ACLs.
>
>
>
> -ryan
>
>
>
> *From:* manoj prajapati [mailto:manoj4784_at_gmail.com]
> *Sent:* Friday, October 09, 2009 1:10 AM
>
> *To:* Ryan West
> *Cc:* cisco_at_groupstudy.com; Cisco certification
> *Subject:* Re: VPN Overlapping issue
>
>
>
> Hi Ryan,
>
> Yes, each customer having an individual internet connection,
>
> As mention in your earlier mail, is it necessary to change the cust 2
> private ip address ? coz, cust2 having a different ip range
>
> Here is the config what i have done on PIX,
>
> static (inside,outside) 10.2.3.0 access-list TICTAC
> access-list TICTAC permit ip 10.2.2.0 255.255.255.0 10.10.10.0
> 255.255.255.0
>
> crypto ACL:
> access-list crypto permit ip 10.2.3.0 255.255.255.0 10.10.10.0
> 255.255.255.0
>
> access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0
> 255.255.255.0
> nat (inside) 0 access-list nonat
>
>
> show run | i global|nat|access-list
>
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> on the cust2(checkpoint) they have allowed 3 ip's 10.2.3.1, 10.2.3.2 and
> 10.2.3.3
>
>
> Regards,
> Manoj
>
>
> On Thu, Oct 8, 2009 at 7:20 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Manoj,
>
>
>
> Do each of the customers have their connection to the internet or is cust1
> getting Internet via cust2? If cust1 has a connection to the internet,
then
> you�re probably just missing a NAT statement for traffic that doesn�t fall
> within the NAT access-list profile. You�ll also have to define a global
for
> it as well. If you do have an Internet connection at cust1, please post
the
> following sanitized output:
>
>
>
> show ip
>
> show run | i global|nat|access-list
>
>
>
> If it does not have a direct Internet connection, please explain the
> topology in greater detail.
>
>
>
> -ryan
>
>
>
> *From:* manoj prajapati [mailto:manoj4784_at_gmail.com]
> *Sent:* Thursday, October 08, 2009 3:03 AM
> *To:* Ryan West
>
>
> *Cc:* cisco_at_groupstudy.com; Cisco certification
> *Subject:* Re: VPN Overlapping issue
>
>
>
> Hi Ryan,
>
>
>
> Very good explanation, Done the same as u have said........
>
>
>
> Now i m able to ping the customer end (CUST2)server. But, *Unable to
> browse internet* from Cust1. Is there anything to do with? applied and
> remove the nonat statement. nothing is happening
>
>
>
> > > the private ip address is ,
>
>
> > > Cust1 ---- 10.2.2.0 (PIX)
> > > Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
> > > Cust3 ---- 10.2.2.0 (ASA)
> > >
> > > connectivity is Cust1 ---- Cust2 ---- Cust3
> > > | | |
> > > 10.2.2.0 10.10.10.0 10.2.2.0
Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 09 2009 - 19:36:47 ART