04-18-2008 11:18 PM - edited 03-11-2019 05:33 AM
Looks like my PIX501 not doing what I told it to do. I want my internal LAN traffic to be NATed and crypted to all remote private LAN, except destination specified in ACL:
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.101.1
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.42.11
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.75.5
------------
nat (inside) 0 access-list toJoseph
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
---------------
crypto map cmTest 10 match address toJoseph
-----------
When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0
When I ping 192.168.200.10 (another excluded IP from nat 1 rule) ACL matching number from 10.1.1.0 to 192.168.200.10 goes up.
Whole PIX config is attached.
04-19-2008 11:03 AM
you tell:
When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0
on the config:
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
it's correct the subnet id is
192.168.0.0 mask /24 !
maybe you need:
access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
04-25-2008 05:37 PM
I think u shouldn't see it as your rule in the ACL is : access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
as u r pinging 192.168.1.x so there won't be any hits as ur rule above is for 192.168.0.0 with a mask of 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: