routerman, swj38 I just found out that my approach is fundamentally flawed:
access-list 100 deny tcp host LAN.LAN.LAN.12 host ISP.ISP.ISP.45
nat (inside) 0 access-list 100
deny is not a supported command in nat 0 (identity NAT) commands.
Time to read up on split tunnels.
More later
Cheers C.T.
I think I've just found the answer: NO!
From: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#1032129
NAT
Associate a network with a pool of global IP addresses.
access-list
Lets you identify local traffic for network address...
Has anyone ever used DENY in their NO-NAT acl? [ponder]
For example:
!--- ACL to avoid Network Address Translation (NAT) on the IPSec packets
access-list 100 deny ip host 10.2.2.12 10.1.1.0 255.255.255.0
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100...
ixleplix, thanks for posting how you got it figured out.
I just had a similar problem.
I had a picture of the NO-NAT decision being made as traffic left the outside interface.
So I put my permit statements for DMZ1 hosts in my NO-NAT acl. I couldn't figure out why the htcnt wasn't...
Here's the config.
The internal email server is LAN.LAN.LAN.12
Note that the email server is defined with this static:
static (inside,outside) tcp interface smtp LAN.LAN.LAN.12 smtp netmask 255.255.255.255 0 0
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 10baset
interface...
I finally got back to site to try to fix this problem.
This is what happens when the ISP sends email to the exchange server:
- I see the outside_access_in ACL trigger PERMIT SMTP in
- SMTP Packet received by Exchange server
- Exchange server responds on high number port to ISP-mail server
-...
We've just replaced our outside PIX515UR with a PIX515eUR.
Now we'd like to re-deploy the PIX515UR as an inner firewall to further protect database servers on the publicly accessible DMZ.
i.e. PIX1-OUTSIDE = Internet
PIX1-INSIDE = Corp LAN
PIX1-DMZ1 = web servers
and PIX2-OUTSIDE =...
I've been told that you have to upgrade a PIX515R to a PIX515UR in order to upgrade from 32Mb to 6Mb RAM.
The part number is: PIX-515-SW-R-UR=
The UK list is £2,748.00
This is a very expensive 32Mb memory stick ;-)
I'm just looking for a bit of performance.
I don't need a VAC or Fail-over.
I...
Loyalist - did you figure out what was going on?
We have a similar problem with unreliable VPN client connections. Our site-to-site connections always stay up. But when the PIX gets a little busy the client VPNs can drop out after any time.
Cheers C.T.
I have a site-to-site VPN working from our HQ to an ISP.
All traffic goes down the VPN tunnel and is not natted.
Now I need to stop SMTP traffic destined for the ISP going down the VPN tunnel.
Here's why:
The ISP needs to send reports back using SMTP from a machine in the VPN network. They...
Thanks Mut,[thumbsup2]
I've already got the dmz.dmz.dmz.dmz version of code ready to go. I have to do this at 06:00 tomorrow before the early shift get in :-(
Thanks for the clear xlate reminder too.
C.T.
I've been able to get a site-to-site VPN set up OK.
Each inside network can see the other inside network.
(H.Q. to ISP)
We have just added a dmz at our HQ site for web site staging and testing.
Now I need to allow one of the servers on the DMZ to connect to the ISP network using the VPN.
Is...
There is no maintenance contract on the firewall.
(A management decision - don't ask me why).
I didn't think upgrades were freely available without a maintenance contract. The maintenance contract ran out earlier this year before I was asked to look after it.
Do you think my names problem was...
Pitfalls of using names
A nice idea – but it didn’t work for me.
I’m using 6.0(1) code on a 515 and thought using names would cut down on typos. So it would make the code easier to write and read.
I have 3 servers on a DMZ that should be accessible from the outside interface. Each has their...
I’m new to working on PIX configs and wanted to check some things out.
(I’ve inherited a working PIX but need to create a DMZ for web pre-staging.)
Comments
Please can you confirm the right syntax to add a comment in a configuration.
I don’t see many comments in the configurations I’ve seen so...
Folks - I new to pix and just getting up to speed.
I just need some clarification on parts of a config I working on.
The following interfaces are in use:
ip address outside X.Y.Z.115 255.255.255.240
ip address inside 192.168.168.1 255.255.255.0
ip address dmz1 192.168.169.1 255.255.255.0
ip...
Do you have any tips on how to diagnose what is wrong with a PIX classic that won't power up?
I have acquired a PIX Firewall/Local Director SN6005517.
It does not power up - all you get is a flash of the power light and a little turn on the case fan.
I've reseated the connectors, cards &...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.