04-07-2003 01:24 AM - edited 02-20-2020 10:40 PM
the diagram please see www.ciscofan.com/smbc.jpg
now,the ebs router has a NM-1CE1U&NM-30DM,then remote clients can dial in the network,the pboc router has a wic-2t module,connect to remote side via DDN.the ebs interface's ip address of pix is x.x.45.2,the ebs router's ethernet ip address is x.x.45.1,and the ip address the remote client can get(the ip address pool) is from x.x.45.110-x.x.45.140.the ip address of pix515E 's inside interface is x.x.44.1.I use nat 0 0 0 to avoid any nat(image the pix as a router)then the strange thing happens,after configuration,in ebs router,can't ping any address who is like x.x.44.x,after server1 ping x.x.45.1,then both the dialer clients and the ebs router can ping server1,but can't ping server2,after server2 ping x.x.45.1(ebs router),both dialer clinets and ebs router can ping server2,etc.that means the inside computers must ping the outside computers first,then the outside computers can access(include ping) the inside server.and the even stanger thing is ,if there is no any traffic between ebs and the remote client(or the ebs router) in some time(maybe some hours,but I am not sure),the remote dialer clients or the ebs router can't ping(access) inside
servers.for instance,after one night,in the morning,the remote dialer clients or the ebs router can't ping x.x.44.x.It seems there is a time-out configuration,but how can I setup it?
the following is the pix(515e)'s configuration:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 ebs security20
nameif ethernet5 pboc security25
enable password n5vL encrypted
passwd 2KFQnencrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto shutdown
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu ebs 1500
mtu pboc 1500
ip address outside 127.0.0.1 255.0.0.0
ip address inside x.x.44.1 255.255.255.0
ip address intf2 129.0.0.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address ebs x.x..45.2 255.255.255.0
ip address pboc x.x.46.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address ebs 0.0.0.0
failover ip address pboc 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit ip any any
route pboc 10.24.15.0 255.255.255.0 x.x.46.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
Solved! Go to Solution.
04-07-2003 05:18 AM
You don't have any static commands to create static translation slots. Thus, you need outbound traffic to create temporary translation slots, but as these are not permanent, you will have problems.
static (inside, outside) x.x.44.0 x.x.44.0 netmask 255.255.255.0
should bring you happiness
04-07-2003 05:18 AM
You don't have any static commands to create static translation slots. Thus, you need outbound traffic to create temporary translation slots, but as these are not permanent, you will have problems.
static (inside, outside) x.x.44.0 x.x.44.0 netmask 255.255.255.0
should bring you happiness
04-14-2003 05:10 PM
yes,it works,but could u tell me what is the function of "static (inside, outside) x.x.44.0 x.x.44.0 netmask 255.255.255.0 "?thanks
04-15-2003 05:21 AM
Static commands make a permanent translation slot for traffic. In an environment with no nat (nat 0...), you use a netstatic (a static command for an entire block of IP addresses). This makes all of those hosts *potentially* accessible through the pix - you still need to open up the ports via a ACL or conduit.
Similar thing applies for natted environments, but there you typically have one static command per one server you want accessible. In PAT, you use statics to forward unique ports.
But why static? If you only use nat 0 - only *temporary* translation slots are created - so that if host A is sending outbound traffic to the internet, then host B (provided there is a access list/conduit that permits this behaviour) can make a connection to A. But if A stops sending any outbound traffic, eventually the temporary translation slot times out, and no external hosts can initiate connections to A. Hence the need for a mechanism through which permanent translation slots can be made.
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide