SNMP & ICMP to MANY hosts from PIX outside I/F to inside I/F

sheidelbach · ‎10-25-2002

I have a situation where I have a couple of hosts on the outside interface of a PIX that need to send SNMP and ICMP messages to every interconnect device on the inside of the PIX. I know, sounds strange, but the network management stations are on the outside of the PIX dispite my best efforts to convince the customer otherwise.

**Important Note - the PIX is NOT doing NAT for any addresses.

The access-list & conduit configs are pretty straight forward, but the only way I have been able to get this to work with access-lists, or conduits, is to configure a static translation in the PIX for every single inside IP address!! This equites to about 400-500 entries!!

The static commands just map the inside and outside addresses as the same address (since there is no NAT going on) too.

Example: static (inside,outside) 10.17.184.193 10.17.184.193

There has got to be a better way to do this without all those static entries.

Any help would be GREATLY appreciated.

steve.barlow · ‎10-25-2002

Sure is an easier way:

static (inside,outside) 10.17.184.0 10.17.184.0 netmask 255.255.255.0

access-list acl_in permit icmp host x.x.x.x 10.17.184.0 255.255.255.0

An example of what I have used in the past:

static (inside,web) 10.216.13.0 10.216.13.0 netmask 255.255.255.0 0 0

static (inside,web) 10.216.7.0 10.216.7.0 netmask 255.255.255.0 0 0

access-list 110 permit tcp host 192.168.187.1 host 10.216.7.20 range 12001 12003

access-list 110 permit tcp host 192.168.187.1 host 10.216.7.20 eq 135

access-list 110 permit tcp host 192.168.187.1 host 10.216.13.1 eq 7001

access-list 110 permit tcp host 192.168.187.1 host 10.216.13.2 eq 7001

Hope it helps.

Steve