12-30-2003 09:02 AM - edited 02-20-2020 11:10 PM
I have a server with real IP 90.0.0.50 has Natted to 172.20.1.1 as follows;
static (inside,outside) 172.20.1.1 90.0.0.50 netmask 255.255.255.255 0 0
If I want to allow 172.20.7.0 network to access server network , what is the correct IP to be defined as destination ( real or global ?)
That is ,
(1). access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 90.0.0.0 255.0.0.0 OR
(2).access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0 ?
12-31-2003 01:01 AM
Hi,
I'm a little confused about your config. where is your server exactly?
the static command you wrote means: host 90.0.0.50 is in inside and nat this address to 172.20.1.1 when it's going out. It doesn't make sense to me. If your server is inside and it has address of 172.20.1.1 you have to write the static command like this :
static (inside,outside) 90.0.0.50 172.20.1.1 0 0
this command makes your server reachable from the outside.(also you have to permit them with an access-list). for permitting the outside users to reach that server you have to use the real adress in your ACL. because they know your server as 90.0.0.50.
I assume that, your 172.20.7.0 network is also in inside. actually the traffic between this network and your server doesn't need to go through the pix. you can keep them talking inside. if you send your config of your pix, and the topology of your network I can help more..
also the link below are very useful for understanding traffic through pix :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml
I hope I didn't totaly misunderstood.. ;)
regards..
01-01-2004 03:12 AM
Hi,
Many thanks for the detailed reply. But my network is little diffarant then you expalined.
Server real address is 90.0.0.50 ( a legacy application installed long ago) Since we cennot do any application changes, we are natting it to 172.20.1.1.
The server is inside the firewall and the client network 172.20.7.0 is outside the firewall. ( ie firewall is sitting between the client and the server).
I was confused as to what address should be specified in the ACL for the server ( real or natted).
I defined ACL as
access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 90.0.0.0 255.0.0.0 ,
but after applying it, the cleints int the 172.20.7.0 could not access the server. Therefore the other option is to define;
access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0
Any ideas ?
01-02-2004 01:10 AM
can you elaborate it in more detail??
in my opinion,I choose the first one,and
you must configure a route which is pointed to the network of 172.20.1.0 /24,
can you got my idea??
01-02-2004 02:09 AM
access-list outside_access_in permit ip 172.20.7.0 255.255.255.0 172.20.1.0 255.255.255.0 will permit traffic from 172.20.7.0/24 to 172.20.1.0/24 so for your scenario this is the correct way to do it. You need to target the translated address rather than the real one
01-04-2004 10:55 PM
yes, the correct one is to use the natted one. because the outside world knows your server as 172.20.1.1. Did you try this access-list? If it doesn't work ; it maybe because of another access-list in inside interface..do you have an acl in inside interface?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide