11-17-2005 02:03 AM - edited 02-21-2020 12:31 AM
i have this scenario
users/dc/dns---pix----isa-----router
dc= domain controler
isa is member of the domain which is INSIDE of the pix.
any traffic going out (ie http, pop3) are ok.
The customer wants to filter traffic going out thru computer names at the ISA.
But the problem is the ISA cannot browse the network INSIDE
Ive tried permiting all IP traffic coming from the ISA to the inside of the firewall but still i cant browse the network.
Any quick help will be appreciated.
thanks a lot
11-17-2005 04:56 AM
please excuse me for misunderstanding.
you mentioned "isa is member of the domain which is INSIDE of the pix" and at the same time "the problem is the ISA cannot browse the network INSIDE".
assuming the requirement is to permit isa (from the pix outside) inbound access, then a static nat and an inbound acl are required.
e.g.
static (outside,inside)
access-list inbound permit ip
access-group inbound in interface outside
clear xlate
11-17-2005 03:21 PM
1. why do i need to do a static on isa ip?
2. why the access-list source the inside ip? am trying to brouse the inside network from the outside. so corrrect me if iam wrong but the way i figure out is that the source is the isa
what ive done instead is the ff
static (inside, outside) insideDNS_ip Inside DNS_ip
access-list acl_out permit ip host ISA_ip INSIDE_net
access-group acl_out in interface outside
11-17-2005 04:36 PM
by reading your original post, i was having the impression that the isa from the pix outside needs to access the entire pix inside net. if this is the case then nat the entire subnet to public would not be feasible (assuming you don't have a whole class c public ip range); alternatively, if you nat the entire pix inside net to a private subnet, then you won't be albe to browse the internet as all source addresses are private.
11-18-2005 01:03 AM
iam using private IPs on all internal networks including both ISA interfaces...the only public IP is the adsl WAN interface.
internet access is no longer an issue coz thats was already working fine.
the only problem left is for the ISA to browse the network INSIDE.
11-18-2005 02:00 AM
OK nat has nothing to do with public/private addressing.
The pix works by translating address between interfaces not by routing. You can use a nat 0 function to tell the pix to translate an address to itself but it is still translated.
try the following
nat (outside) 0 a.b.c.d 255.255.255.255
Where a.b.c.d is the ip address of the ISA server. This will translate the address of the ISA server to its self and allow a session back into the network (providing you have the correct ACL on the outside interface)
11-18-2005 12:54 AM
It's probably a NAT issue if you have the correct access-list on the outside interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide