I posted this question once before; however, none of the advise mentioned work so I am going to post it again hoping that I might be able to an a correct answer this time. By the way, please don't tell me to change the default route because everything works. The PIX can ping the Internet just fine. Furthermore, I have a workstation on the 66.61.46.0/24 network (66.61.46.150) and that machine can reach the Internet just fine. There is no problem with connectivity issue except for the fact that the machines from the "inside" interfave can NOT browse the Internet. Why it doesn't work is a mystery to me. Another thing, this is a TEST network so everything is wide open at the moment. Please help.
I am having problem setting up a network in this scenario with my PIX515-UR firewall running version 6.1(1) with pdm version 1.1(2). I have a network with REGISTERED IP addresses. The "inside" interface of the PIX is on the 129.174.1.0/24 network with IP address of 129.174.1.254. The "outside" interface of the PIX is on the 66.61.46.0/24 network with IP address of 66.61.46.120. The "inside" interface has a security level of 100 and the "outside" interface has security level of 0. On the "inside" internal network, I have 10 workstations range from 129.174.1.1-10. These workstations have the default gateway point to the "inside" interface of the PIX. I understand that for machines from the "inside" network to access the Internet, the command "nat" and global must be used. However, since I all of my machines have valid (aka registered IP addresses), I want to disabe NAT completely. For, example, I want machine 129.174.1.1 to be able to browse and ping any machines on the Internet. At the same time, I don't want users from the Internet to be able to access any of the workstations on the "inside" interface. I have been searching for documentation on Cisco website but it seems likemost of the example have to do with NAT enable. There are a few examples that will disable NAT but it is relatedto VPN which is something I don't want. Furthermore, most of the examples fill with errors and pretty worthless (for PIX anyway). If anyone has done this before, let me know. I also include a copy of the config. Thanks. David PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password sdfkjfdjjdfjksdf encrypted passwd sdfjksdfkjsdfjksjf encrypted hostname ciscopix fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list no-nat-list permit ip any any access-list no-nat-list permit icmp any any pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 66.61.46.120 255.255.255.0 ip address inside 129.174.1.254 255.255.255.0 ip address dmz 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp timeout 14400 nat (inside) 0 129.174.1.0 255.255.255.0 static (inside, outside) 129.174.1.0 129.174.1.0 conduit permit ip any any conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29641&t=29641 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
