«

[markw78]

what I want to do is logically easy... getting it done is proving to be a bit harder.

Bascially I jsut want to route a network across my PIX from outside interface to eth2 (nameif test, security-level 75) with no restrictions what so ever.

Currently I have it working with an tcp but thats it...

access-list outside extended permit tcp any interface lab
access-list lab_access_in extended permit ip any any

access-group out in interface outside
access-group lab_access_in in interface lab

route lab 216.24.24.160 255.255.255.224 216.24.24.138 1

nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0

access-list 101 extended permit ip 10.10.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.0.0.0 interface lab

Access-list 101 and nat0 associated with it are left over from an attempt at VPN access which was abandoned a long time ago, I just stuck the additional ACL in place since the nat0 was already there.

My goal is basically to hand-off this block of IP's to the lab's PIX so they can self manage them.

Questions are... Access-list 101 and access-list outside permit any interface lab, which is actually doing the job? or are they both needed?

Is there any way to remove the acl all together?

How can I say "all protocols" as it won't take 'any' as a valid protocol.

Lastly I'm having a hard time getting the inside network to route there. Do I need to add that to acl 101?

I feel so close yet so far, can't quite wrap my head around this one (first time doing this with a PIX) any help is appreciated.

[markw78]

So I pulled out the nat 0, I pulled out acl 101, I removed lab_access_in acl, removed access-group from lab interface.

It seems to be working fine off just the route which I don't quite understand since I swear it wasn't before.

I still can't get through from inside(100) even though lab is 75.

[markw78]

static (inside,lab) 10.10.150.0 netmask 255.255.255.0

seemed to do the trick I can get from inside to lab now.

Still no ICMP even though I have

icmp permit any lab
icmp permit any inside

It also wouldn't work adding a global using the public IP... normally a telnet test to the port shuts down right away indicating there is a firewall, with the global in place it times out instead, I suspect for some reason the device on the lab network is having problems replying to the NAT'd global IP. Maybe a proxy arp problem on the interface, I don't know it's almost 2am lol... I think the static is what we want but I would like to know why the global doesn't work anyways, along with icmp...

I assume I need static mappings and acl's to get from lab to inside as normal.

1 last quick edit, with the global in place and no static, my pings and telnet tests get no log on the pix. With the static, telnet tests work, but icmp generates a log stating unable to portmap from the lab to the inside (the reply packet)... shouldn't think be open by way of SPI / xlate table?