Hi William, You're close I think...
--- On Tue, 13/1/09, William <wil...@gmail.com> wrote: > From: William <wil...@gmail.com> > Subject: [c-nsp] PIX 6x translation issue > To: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> > Date: Tuesday, 13 January, 2009, 2:12 AM > Hi there chaps, > > I have a PIX running 6x software with 3 interfaces: > > outside - sec0 (public IP address) > inside - sec100 (10.1.1.253/24) > office - sec90 (10.75.4.253/24) > > > What I'm trying to figure out is how I can get hosts on > the office > network to access hosts on the inside network without their > addresses > being translated. I've built an access-list and applied > it to the > office interface which is straight forward and I've > added the > following static: > > static (office,inside) 10.75.4.0 10.75.4.0 netmask > 255.255.255.0 0 0 > I believe you need "static (inside, office)". > However I'm not getting any connectivity, so I added: > > access-list office_outbound_nat0_acl permit ip host > 10.75.4.1 10.1.1.0 > 255.255.255.0 > nat (office) 0 access-list office_outbound_nat0_acl If you create the static properly, you won't need the "nat 0" statement. You need to remember the rules: * If you want to allow OUTSIDE hosts in, then use "static" + "acl" commands.. This also allows INSIDE hosts out using the same static if it's applicable and ACL's allow it. * If you want to allow INSIDE hosts out, then use "global" + "nat" commands.. I'm using OUTSIDE & INSIDE to refer to generic lower or higher security interfaces. I've probably confused you now, this document explains it a lot better: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml regards, Tony. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/