Nice... FYI - Another painful thing like this can happen if you have an interface disabled on one but not the other, or even worse - different #'s of ports (i.e. - one with 6 ports and one with 4 ... doh!)
Thanks! TJ -----Original Message----- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] Found problem. I had the 2 PIX's configured for failover. The problem was that the failover cable was loose on one end so they both flip flopped each taking control as master. Thanks for the help. ""Waters, Kristina"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sam, > > Do you have any sort of statement that's translating the addresses in your > DMZ? For example, > > static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 > > If you aren't nat'ing I believe you still have to translate the address. > > HTH, > Kris. > > -----Original Message----- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 14, 2003 2:08 PM > To: [EMAIL PROTECTED] > Subject: PIX access-list problem [7:61043] > > > I cannot seem to get the following config to work and am clueless why. My > incoming access lists for DMZ and outside are wide open. The goal is not to > NAT DMZ ever since its public addressing. I can't even ping hosts on the > outside network from PIX. Why am I having these problems? > > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > > access-list internal permit ip 172.19.90.0 255.255.255.0 any > > access-list test permit ip any any > access-list test permit icmp any any > > access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 > 255.255.255.0 > > ip address outside 83.23.44.60 255.255.255.192 > ip address inside 172.19.90.1 255.255.255.0 > ip address dmz 83.23.43.250 255.255.255.0 > > global (outside) 1 83.23.44.58 > nat (inside) 0 access-list int-dmz > nat (inside) 1 172.19.90.0 255.255.255.0 0 0 > nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 > access-group test in interface outside > access-group test in interface dmz > route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender by email, delete and destroy this message and its > attachments. > ********************************************************************** ****************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ****************************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61110&t=61043 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
