Cisco PIX... address transform...

Discussion in 'Cisco' started by The_Stradz, Feb 16, 2006.

  1. The_Stradz

    The_Stradz Guest

    All,

    Wonder if someone can point me in the right direction...? I have a PIX 515E
    that I'm using as an internal firewall in a classic internet | firewall |
    dmz | firewall | internal LAN config.

    the inside (internal lan) interface address is 10.156.1.1/24 and the outside
    (dmz) address is 10.1.1.254/24. There are several hosts within the DMZ
    (10.1.1.20, 10.1.1.21, 10.1.1.22 etc).

    Now what I want to do is reference a DMZ host (say 10.1.1.20) using an
    inside network IP address (10.156.1.40 say) - so that an internally
    connected PC can ping the DMZ host using the 10.156.1.40 address.

    I've issued the command "static (inside, outside) 10.156.1.40 10.1.1.20"

    Then ACLed to allow "icmp any" to the DMZ host (10.156.1.40). However, its
    not working? Can anyone give me any pointers to what is wrong here?

    Any help greatly appreciated!

    Thanks
    -D
    The_Stradz, Feb 16, 2006
    #1
    1. Advertising

  2. The_Stradz

    mcaissie Guest

    You have to do " static (outside,inside)" and not "static
    (inside,outside)"

    since you want to mask an outside IP to the inside , and not mask an
    inside IP to the outside.

    static (outside,inside) 10.156.1.40 10.1.1.20 netmask 255.255.255.255 0 0





    In your environment
    "The_Stradz" <> wrote in message
    news:dt2oml$kj2$-infra.bt.com...
    > All,
    >
    > Wonder if someone can point me in the right direction...? I have a PIX
    > 515E
    > that I'm using as an internal firewall in a classic internet | firewall |
    > dmz | firewall | internal LAN config.
    >
    > the inside (internal lan) interface address is 10.156.1.1/24 and the
    > outside
    > (dmz) address is 10.1.1.254/24. There are several hosts within the DMZ
    > (10.1.1.20, 10.1.1.21, 10.1.1.22 etc).
    >
    > Now what I want to do is reference a DMZ host (say 10.1.1.20) using an
    > inside network IP address (10.156.1.40 say) - so that an internally
    > connected PC can ping the DMZ host using the 10.156.1.40 address.
    >
    > I've issued the command "static (inside, outside) 10.156.1.40 10.1.1.20"
    >
    > Then ACLed to allow "icmp any" to the DMZ host (10.156.1.40). However,
    > its
    > not working? Can anyone give me any pointers to what is wrong here?
    >
    > Any help greatly appreciated!
    >
    > Thanks
    > -D
    >
    >
    >
    mcaissie, Feb 16, 2006
    #2
    1. Advertising

  3. The_Stradz

    The_Stradz Guest

    OK - done that..... still no joy.... pinging 10.156.1.40 doesn't work.....
    anything else that I'm missing?

    "mcaissie" <> wrote in message
    news:GU6Jf.4470$n67.2670@edtnps89...
    > You have to do " static (outside,inside)" and not "static
    > (inside,outside)"
    >
    > since you want to mask an outside IP to the inside , and not mask an
    > inside IP to the outside.
    >
    > static (outside,inside) 10.156.1.40 10.1.1.20 netmask 255.255.255.255 0 0
    >
    >
    >
    >
    >
    > In your environment
    > "The_Stradz" <> wrote in message
    > news:dt2oml$kj2$-infra.bt.com...
    >> All,
    >>
    >> Wonder if someone can point me in the right direction...? I have a PIX
    >> 515E
    >> that I'm using as an internal firewall in a classic internet | firewall |
    >> dmz | firewall | internal LAN config.
    >>
    >> the inside (internal lan) interface address is 10.156.1.1/24 and the
    >> outside
    >> (dmz) address is 10.1.1.254/24. There are several hosts within the DMZ
    >> (10.1.1.20, 10.1.1.21, 10.1.1.22 etc).
    >>
    >> Now what I want to do is reference a DMZ host (say 10.1.1.20) using an
    >> inside network IP address (10.156.1.40 say) - so that an internally
    >> connected PC can ping the DMZ host using the 10.156.1.40 address.
    >>
    >> I've issued the command "static (inside, outside) 10.156.1.40 10.1.1.20"
    >>
    >> Then ACLed to allow "icmp any" to the DMZ host (10.156.1.40). However,
    >> its
    >> not working? Can anyone give me any pointers to what is wrong here?
    >>
    >> Any help greatly appreciated!
    >>
    >> Thanks
    >> -D
    >>
    >>
    >>

    >
    >
    The_Stradz, Feb 17, 2006
    #3
  4. The_Stradz

    mcaissie Guest

    can you post your config

    -nat - global - static - acl - and access-group


    "The_Stradz" <> wrote in message
    news:dt3tjh$dkr$-infra.bt.com...
    > OK - done that..... still no joy.... pinging 10.156.1.40 doesn't
    > work..... anything else that I'm missing?
    >
    > "mcaissie" <> wrote in message
    > news:GU6Jf.4470$n67.2670@edtnps89...
    >> You have to do " static (outside,inside)" and not "static
    >> (inside,outside)"
    >>
    >> since you want to mask an outside IP to the inside , and not mask an
    >> inside IP to the outside.
    >>
    >> static (outside,inside) 10.156.1.40 10.1.1.20 netmask 255.255.255.255 0 0
    >>
    >>
    >>
    >>
    >>
    >> In your environment
    >> "The_Stradz" <> wrote in message
    >> news:dt2oml$kj2$-infra.bt.com...
    >>> All,
    >>>
    >>> Wonder if someone can point me in the right direction...? I have a PIX
    >>> 515E
    >>> that I'm using as an internal firewall in a classic internet | firewall
    >>> |
    >>> dmz | firewall | internal LAN config.
    >>>
    >>> the inside (internal lan) interface address is 10.156.1.1/24 and the
    >>> outside
    >>> (dmz) address is 10.1.1.254/24. There are several hosts within the DMZ
    >>> (10.1.1.20, 10.1.1.21, 10.1.1.22 etc).
    >>>
    >>> Now what I want to do is reference a DMZ host (say 10.1.1.20) using an
    >>> inside network IP address (10.156.1.40 say) - so that an internally
    >>> connected PC can ping the DMZ host using the 10.156.1.40 address.
    >>>
    >>> I've issued the command "static (inside, outside) 10.156.1.40 10.1.1.20"
    >>>
    >>> Then ACLed to allow "icmp any" to the DMZ host (10.156.1.40). However,
    >>> its
    >>> not working? Can anyone give me any pointers to what is wrong here?
    >>>
    >>> Any help greatly appreciated!
    >>>
    >>> Thanks
    >>> -D
    >>>
    >>>
    >>>

    >>
    >>

    >
    >
    mcaissie, Feb 17, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Billy K

    Office 2003 - MST transform help

    Billy K, Feb 24, 2005, in forum: Microsoft Certification
    Replies:
    0
    Views:
    802
    Billy K
    Feb 24, 2005
  2. Bill
    Replies:
    0
    Views:
    3,674
  3. Christoph Gartmann

    Pix: how to remove transform-test?

    Christoph Gartmann, Sep 10, 2005, in forum: Cisco
    Replies:
    1
    Views:
    456
    Martin Bilgrav
    Sep 10, 2005
  4. Replies:
    0
    Views:
    448
  5. Replies:
    0
    Views:
    3,290
Loading...

Share This Page