I have a two interface PIX in a lab. I am trying to simulate this for a customer. Th PIX will be used between two Private networks in the same campus for some political reason. On a PIX outside Interface the network is 172.16.10.0/24, and inside network is on 192.168.10.0/24. Outside interface is connected to a catalyst switch for 172.16.10.0/24 network, and inside interface is also connected to a 2nd catalyst switch on a inside network 192.168.10.0/24. Here is the issue. For allowing users to access resource from outside to inside. I can simply do: static (inside, outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 access-list outside permit ip 172.16.10.0 0.0.0.255 any access-group outside in interface outside. For testing reason, I also want to enable ping from 172.16.10.0 network to 192.168.10.0 network. access-list outside permit icmp any any. The only confusion I have is how do I ping a host which is sitting on an outside network 172.16.10.25 to ping a host on inside network which is sitting on a network 192.168.10.25 because there is no third network segment for natting, and PIX doesn't allow to ping the private addresses from outside. For example, In real world, there is a public address which is natted to a private address, and you ping a public address which is mapped to a private address for testing purpose, but in my case there are only two private networks and there is no public address for natting purpose. One thought I had to use the fake network segment such as 10.0.0.0/24 for natting purpose, but that won't work also I think because then I will have to put my PIX's outside interface on 10.0.0.0/24 segment where as the hosts on outside segment are sitting on 172.16.10.0/24 segment. Here is the config. Please pay attention to following commands: global (outside) 1 192.168.10.0 (Since there is not public addresses for translation, I am using the inside address itself.)nat (inside) 1 192.168.10.0 PIX Version 6.1(4)nameif ethernet0 outside security0nameif ethernet1 inside security100enable password 2KFQnbNIdI.2KYOU encryptedpasswd VlkRecOhbGq/.k3t encryptedhostname Clark-Countyfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list outside permit ip 172.16.10.0 255.255.255.0 anyaccess-list outside permit icmp any anypager lines 24interface ethernet0 autointerface ethernet1 automtu outside 1500mtu inside 1500ip address outside 172.16.10.1 255.255.255.0ip address inside 192.168.10.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 192.168.10.0nat (inside) 1 192.168.10.0 255.255.255.0 0 0static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0access-group outside in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enableno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 80Cryptochecksum:c9981720a27c052407817428a787baf6: end
_______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63908&t=63908 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
