Re: PIX static - to a different VTP domain?

linnea.wren · ‎08-06-2006

Hi,

I do new statics & ACLs in our PIX (v6.3) mostly by following working examples. Usually that works.

The other day I tried to put in a new static, but then was unable to ping the outside address.

Two things about the inside address I was trying to static :

... It's in a different VTP domain than the PIX. (All other new statics I've set up have been in the same VTP domain.)

... To get to it from the PIX you traverse a 6509 msfc, then a 3745 router, then another 6509 msfc. (All other new statics I've set up are gotten to by traversing only the 1st 6509 msfc.)

Would either the VTP domain situation, or the route situation, prevent the static in the PIX from working?

Or, do I need to just go back and look for typos...

TIA

Fernando_Meza · ‎08-06-2006

Hi .. nothing to do with VTP. VTP runs at layer 2 only and hence the firewall is not affected.

Routing needs to be checked. You need to make sure that the inside static that you have set up is actually reachable from the PIX and also you need to make sure that traffic from the inside host to 0.0.0.0 is actually traversing the firewall.

Then you need to make sure the Outside hosts can reach the Public Address that the inside host has been NATed to.

static (inside,outside) mask 255.255.255.255

access-group outside-in in interface outside

access-list outside-in permit ip any 255.255.255.255

You might need to add a static route on the PIX for that host / subnet

route inside X.X.X.0 255.255.255.0 <6509 address>

I hope it helps .. please rate it it does !!!