In pix 515 when from outside(not internet other WAN site) anybody tries to access inside network it can't . But if i ping from inside network to outside network host it pings and after this outside network access the inside network resources easily uptill 10 hours . After 10 or 12 hours again same problem happens we have to ping from inside network to outside host if we want outside host to access inside network . Access-lists are being used and NAT is disable what could be the possible problem
We are also having the same issue as Haseeb. We are also using Access-lists, with NAT disabled. The communication is also between the inside and our DMZ. VPN is not involved here. PIX version is 6.2(2).
If you're using NAT 0 (or any other nat/global method)to provide connectivity to a lower security interface, then the hosts won't always be available for connectivity by the remote hosts. When you ping out, a translation is built and the hosts can connect. After a period of inactivity, the translation will timeout and will no longer be available to that lower security interface. The ACL may be there, but there must be a NAT translation when accessing hosts from a lower security interface to a higher one.
This is what the static command is for. To make the NAT process always available. You can do static statements for a whole subnet that is really just NATted back to itself. For exmaple, this command would NAT the whole inside network of 192.168.0.0/24 back to itself on the dmz interface. The translations will be "permanent" and not timeout.
well VPN concontrator is behind the firewall(inside network) but i could'nt see any vpn config on the firewall , but i did'nt check vpn concentrator . One more thing i wana tell that the border router to which pix is connecting is having 3 serial interfaces . one is going to the internet and other 2 will to other WAN sites(not internet) . And from the internet i want to access only VPN concentrator . But from other 2 WAN sites whole network . Shannon has also a point . For the VPN i had used this command :-
I had checked the vpn concentrator it is configured for vpn tunnels . And the client are able to access it from the internet but only when you ping it from inside and after 10 hours you have to ping again from inside to outside in order to maintain the connection . I had checked the access-lists also but it seems fine to me . Should i use SYSOPT CONNECTION PERMIT-IPSEC command? I will also try to use static command
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...