I want all my Remote site networks which are connected to Head Office Router through Frame Relay can access all my servers which are behind the Inside interface of Firewall.

Currently they can access my servers because I have statically nat them to my DMZ-4 Interface. If i want to ping 172.16.33.11 which is my DC , I have to ping the natted IP that is 192.168.1.11 from the remote sites,

Now I want my remote sites to ping the original IP address that is 172.16.33.11 not the natted address 172.16.1.11

Thanks

Are u running Site-to-site VPN or remote VPN? As per your config it is Remote VPN but there is no IP Pool confgiured to give IP addresses to the clients. If you intend to run L2L VPN then remove dynamic map config. Configure Crypto properly and then configure command crypto isakmp enable DMZ4. Also, check that yuo have configured the crypto access-list at the remote end permitting those remote networks to the Inside networks at HQ. You should have all those networks in the VPN-NAT access-list the traffic from where needs to be encrypted and bypass the ACLs.

Thats Right my WAN network sit at DMZ 4

I configuered the same commands

static (inside,DMZ4) 172.16.32.0 172.16.32.0

static (inisde,DMZ4) 172.16.33.0 172.16.33.0

But its not working.

You mean to say I will configure a route on my WAN Router

ip route 172.16.33.0 255.255.255.0 172.16.1.254

I will try that

If you will see in the configuration there is

global (DMZ4) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Should I remove this PAT command

What impact will it make

Tell me one thing

My WAN Router Interface 172.16.1.1 is directly connected to my PIX DMZ-4 (172.16.1.254) if i try to ping my roter interface from inside network why I am unable to that?????

configure globally :

fixup protocol icmp

then you should be able to ping it.

ok i will try that

I have configur

static (inside,DMZ4) 172.16.32.0 172.16.32.0 netmask 255.255.255.0 0 0

static (inside,DMZ4) 172.16.33.0 172.16.33.0 netmask 255.255.255.0 0 0

But my question is that I agree that there is no route configuer on my router for 172.16.32.x and 172.16.33.x networks that I will configuer now but I have routes on my firewall to all my remote sites and thier next hop is WAN Router interface 172.16.1.1

. After putting No Nat for these 2 networks I should be able to ping my remote sites, am I right.

First you pls tell me that you are doing Remote VPN or Site-to-Site VPN. Form your configuration it is apparent that you have configured for Remote VPN but I dont see any IP address pool for the remote VPN clients. If you intend to do Site-to-Site VPNs then your configuration is wrong.

When u use site-to-site VPN then you use the nat 0 command to exclude the VPN traffic between the sites from any Natting. Then you use that access-list in the Crypto map match address command. This is just in brief. The Static command does not come in play in VPNs as the VPN traffic bypasses all the Nat automatically when you do the above as I described up here. Hope it is clear. Let me know if you need more clarification.

If you are running VPN tunnels between Inside network and the DMZ4 networks then you are also missing the command :

isakmp enable DMZ4

You need to remove :

isakmp enable outside

Bro its not the matter of VPN , I also know that configuration of VPN is not complete and I also know that no nat or nat 0 can be used to pass the VPN Traffic.

Right now my problem is to remove static natting from the DMZ-4 and make my inside networks available to my remote sites thats mean if any of my remote site wants to ping any IP on my inside network it can and it should not ping any natted ip for my inside network , remember one thing my sites are not connected through VPN they are connected through frame relay. I hope you got it now.

Sorry I was talking at a different wavelength and got it all wrong. As far as pinging is concerned once you have done the no nat using Static command and you have put the routes on the FR router for the inside networks pointing to the PIX's outside interface ping should work.

Also remove the following PAT commands. They nat everything from inside going to the DMZ4 side with the DMZ4 interface's IP address. So you wont be able to ping the real IPs on the inside from DMZ4 networks.

global (DMZ4) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0