RE: PIX - Why NO glaobal (outside) command [7:45676]
OK Good to know, I will forget this Old PIX config and will look into more newer PIX 6.2 configs. Thanks for the advise. Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45709&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
The statement NAT and GLOBAL is used for inside to outside communication. STATIC is used for outside to inside communication. No longer holds true but it is a good rule to keep you straight. Check out ios PIX 6.2, they have removed the rules as we know it. You can now do a satatic (outside,inside)or a nat 1 (outside) x.x.x.x Cool stuff Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: RE: PIX - Why NO glaobal (outside) command [7:45676] NAT and GLOBAL is used for inside to outside communication. STATIC is used for outside to inside communication. Since the device(s) we're talking about seems to be a server/service of some kind located on your inside network, you use the NAT 0 to let the server communicate outbound with the same (unNATed) IP address, and you use STATIC with the same IP for global and local so outside clients can access the services running on the server. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Karagozian Sarkis [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: RE: PIX - Why NO glaobal (outside) command [7:45676] Thanks Ole, I just noticed the nat 0 Here is how this old PIX is configured: nat (inside) 0 216.119.xx.0 255.255.255.0 0 0 static (inside,outside) 216.119.xx.0 216.119.xx.0 netmask 255.255.255.0 0 0 -- why same IP for both?? static (websvers,oustide) 216.119.xx.240 216.119.xx.240 netmask 255.255.255.240 0 0 --- also same IP for both ?? Can u explain. more... Thanks Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45700&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
Thanks Ole, Yes I see some access-lists like: ! access-list JPS permit ip haost 216.119.x.6 host 166.90.1xx.50 access-list JPS permit ip 216.119.xx.0 255.255.255.0 166.90.1xx.48 ... !then some crypto map entries as follows: crypto map jps 1 ipsec-isakmp crypto map jps 1 match address jps crypto map jps 1 set peer crypto map jps 1 set transform-set strong crypto map jps inteface outside (hence acl named jps applied to outide interface e0) Ok Got it now. Thanks for good info. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45697&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
NAT and GLOBAL is used for inside to outside communication. STATIC is used for outside to inside communication. Since the device(s) we're talking about seems to be a server/service of some kind located on your inside network, you use the NAT 0 to let the server communicate outbound with the same (unNATed) IP address, and you use STATIC with the same IP for global and local so outside clients can access the services running on the server. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Karagozian Sarkis [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: RE: PIX - Why NO glaobal (outside) command [7:45676] Thanks Ole, I just noticed the nat 0 Here is how this old PIX is configured: nat (inside) 0 216.119.xx.0 255.255.255.0 0 0 static (inside,outside) 216.119.xx.0 216.119.xx.0 netmask 255.255.255.0 0 0 -- why same IP for both?? static (websvers,oustide) 216.119.xx.240 216.119.xx.240 netmask 255.255.255.240 0 0 --- also same IP for both ?? Can u explain. more... Thanks Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45687&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
This is saying that from the inside to the outside do not translate the 216.119 network (they would stay the same). >From the outside, connection to the 216.119.X.240 address can come through the PIX and do not translate the address. There should be an ACL that goes with this as well (outside to inside need both a static entry and an ACL). > nat (inside) 0 216.119.xx.0 255.255.255.0 0 0 > static (inside,outside) 216.119.xx.0 216.119.xx.0 > netmask 255.255.255.0 0 > 0 -- why same IP for both?? > static (websvers,oustide) 216.119.xx.240 > 216.119.xx.240 netmask > 255.255.255.240 0 0 --- also same IP for both > ?? > > Can u explain. more... > Thanks > Sarkis > [EMAIL PROTECTED] > > __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45683&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
Thanks Ole, I just noticed the nat 0 Here is how this old PIX is configured: nat (inside) 0 216.119.xx.0 255.255.255.0 0 0 static (inside,outside) 216.119.xx.0 216.119.xx.0 netmask 255.255.255.0 0 0 -- why same IP for both?? static (websvers,oustide) 216.119.xx.240 216.119.xx.240 netmask 255.255.255.240 0 0 --- also same IP for both ?? Can u explain. more... Thanks Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45681&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
To my best knowledge, you WILL NEED a global command when using the nat command, UNLESS you are using the nat-id 0 to disable nat on devices located on the inside network with public addresses. Example: PIX(config)# nat (inside) 0 0 0 nat 0 0.0.0.0 will be non-translated PIX(config)# show nat nat (inside) 0 0.0.0.0 0.0.0.0 0 0 PIX(config)# Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Karagozian Sarkis [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 9:51 AM To: [EMAIL PROTECTED] Subject: PIX - Why NO glaobal (outside) command [7:45676] I have seen some PIX configs with NO global (outside) 1 . command but only see NAT (inside) 1 0 0 command . Does that mean all traffic is allowed to go out ??? Can someone expaln. Thanks Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45679&t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
