Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Pix 515 Static translation problem

I'm having some problems connecting to an address specified in the static translation command (194.70.60.3). I can ping the outside interface 194.70.60.2 no probs. But not this .3 address.

The Pix outside interface is connected to a Router 194.70.60.1 and all routing is correct.

Below is my Pix config.. I for one can't see what I have done wrong.. A fresh pair of eyes may spot the issue straight way.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside 194.70.60.2 255.255.255.224

ip address inside 10.250.1.10 225 255.255.255.252

hostname MIL-PIX-001

arp timeout 14400

no failover

logging buffered debugging

nat (outside) 0 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 194.70.60.1 1

route inside 10.0.0.0 255.0.0.0 10.250.1.9

access-list ping_acl permit icmp any any

access-group ping_acl in interface inside

access-group ping_acl in interface outside

Static (inside,outside) 194.70.60.3 10.250.1.9 netmask 255.255.255.255

4 REPLIES
Bronze

Re: Pix 515 Static translation problem

The issue may be due to default implicit deny statement in the access list configuration. To overcome this issue configure permit ip any any command at the end of the configuration.

New Member

Re: Pix 515 Static translation problem

Open a TCP port with the AccessList. Try a telnet to port 445 (if 10.250.1.9 is a Windows Station). Does that function?

Which PIX OS version is running?

best regards,

marco

New Member

Re: Pix 515 Static translation problem

change the acl to

access-list-list ping_acl permit icmp any any eq echo

Cisco Employee

Re: Pix 515 Static translation problem

Which device is 10.250.1.9. I see that you have a static route for you 10.0.0.0 subnet pointing towards it. Can you ping this IP from internal subnet.

You can also try changing the ACL to the following:

access-list-list ping_acl permit icmp any any eq echo

access-list-list ping_acl permit icmp any any eq echo-reply

HTH,

-amit singh

143
Views
0
Helpful
4
Replies
CreatePlease to create content