RE: PIX without NAT. [7:48593]
Hi, I tried it before. Without NAT it didn't work, but you can do it using NAT; translating IP address to the same IP address. I suppose it's related to stateful inspection. Bulent -Original Message- From: Ivan [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 6:27 PM To: [EMAIL PROTECTED] Subject: PIX without NAT. [7:48593] Hello all, I have simple pix problems, can anyone help me?(Thank you very much) If I have a pix have two interface as the following: inside: 10.10.10.1 / 24 outside : 192.168.1.1 / 24 and without nat (nat 0 0 0), I think that that must can allow inside hosts to access outside, but can I allow the outside PC to access the inside's hosts? e.g. access-list 10 permit tcp any host 10.10.10.2 eq smtp (or any services) Thank you very much for your help Regards, Ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48660t=48593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX without NAT. [7:48593]
Hi, If I understand correctly, this cas has nothing to do with NAT. All you need to do is to create a static command. If you don't need to change address, use the same address for both inside and outside host. Here is the example : static (inside,outside) 10.10.10.2 10.10.10.2 netmask 255.255.255.255 0 0 This is required to allow traffic from a low security interface to a high security interface. In addition to static command, an access list is also required. This is working in a couple of my production environments. Best Regards, Ufuk Yasibeyli [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of B|lent ^ahin Sent: 12 Temmuz 2002 Cuma 10:25 To: [EMAIL PROTECTED] Subject: RE: PIX without NAT. [7:48593] Hi, I tried it before. Without NAT it didn't work, but you can do it using NAT; translating IP address to the same IP address. I suppose it's related to stateful inspection. Bulent -Original Message- From: Ivan [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 6:27 PM To: [EMAIL PROTECTED] Subject: PIX without NAT. [7:48593] Hello all, I have simple pix problems, can anyone help me?(Thank you very much) If I have a pix have two interface as the following: inside: 10.10.10.1 / 24 outside : 192.168.1.1 / 24 and without nat (nat 0 0 0), I think that that must can allow inside hosts to access outside, but can I allow the outside PC to access the inside's hosts? e.g. access-list 10 permit tcp any host 10.10.10.2 eq smtp (or any services) Thank you very much for your help Regards, Ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48661t=48593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX without NAT. [7:48593]
Hi, I think there is misunderstanding about NAT. I used NAT as Network Address Translation, not the command. According to my knowledge the static command is used for Network Address Translation and with the command static (inside,outside) 10.10.10.2 10.10.10.2 netmask 255.255.255.255 0 0, an address translantion definition from 10.10.10.2 to 10.10.10.2 can be created. Bulent -Original Message- From: Ufuk Yasibeyli [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 11:23 AM To: [EMAIL PROTECTED] Subject: RE: PIX without NAT. [7:48593] Hi, If I understand correctly, this cas has nothing to do with NAT. All you need to do is to create a static command. If you don't need to change address, use the same address for both inside and outside host. Here is the example : static (inside,outside) 10.10.10.2 10.10.10.2 netmask 255.255.255.255 0 0 This is required to allow traffic from a low security interface to a high security interface. In addition to static command, an access list is also required. This is working in a couple of my production environments. Best Regards, Ufuk Yasibeyli [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of B|lent ^ahin Sent: 12 Temmuz 2002 Cuma 10:25 To: [EMAIL PROTECTED] Subject: RE: PIX without NAT. [7:48593] Hi, I tried it before. Without NAT it didn't work, but you can do it using NAT; translating IP address to the same IP address. I suppose it's related to stateful inspection. Bulent -Original Message- From: Ivan [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 6:27 PM To: [EMAIL PROTECTED] Subject: PIX without NAT. [7:48593] Hello all, I have simple pix problems, can anyone help me?(Thank you very much) If I have a pix have two interface as the following: inside: 10.10.10.1 / 24 outside : 192.168.1.1 / 24 and without nat (nat 0 0 0), I think that that must can allow inside hosts to access outside, but can I allow the outside PC to access the inside's hosts? e.g. access-list 10 permit tcp any host 10.10.10.2 eq smtp (or any services) Thank you very much for your help Regards, Ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48664t=48593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX without NAT. [7:48593]
Hi again, I am sorry for mixing up. Yes, I assumed nat command and static is indeed a NAT. Regards, Ufuk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of B|lent ^ahin Sent: 12 Temmuz 2002 Cuma 13:49 To: [EMAIL PROTECTED] Subject: RE: PIX without NAT. [7:48593] Hi, I think there is misunderstanding about NAT. I used NAT as Network Address Translation, not the command. According to my knowledge the static command is used for Network Address Translation and with the command static (inside,outside) 10.10.10.2 10.10.10.2 netmask 255.255.255.255 0 0, an address translantion definition from 10.10.10.2 to 10.10.10.2 can be created. Bulent Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48672t=48593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]