Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication.
Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -----Original Message----- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help.... Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55620&t=55608 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]