I have a PIX 506. All my public IP starts with 66.153.... and then they are mapped to a private IP in the PIx(Access list and Static ..) We got some more new IP from my ISP that starts with 64.80.... Now I mapped(access list/static in PIX) the new IP (64.80..) I can ping the firewall from inside but then I cannot get it to work. my pC will not go on to the internet Is there any other command i have to put in for 64.80..Ip address
Let me know thanks Sam
PIX questions are better addressed to comp.dcom.sys.cisco -- more PIX people hang around there.
You haven't shown enough of your configuration to be sure, but it sounds to me as if the problem is that your WAN router is not routing 64.80.whatever to the PIX outside interface IP. The PIX -will- proxy arp for any IP declared static to its outside network, but there are a number of circumstances under which proxy arp is disabled on the PIX, and your WAN router might simply not be expecting it, so it is always safer to have the WAN router route the additional ranges to the PIX interface.
Walter: This is my router configuration as it stands now. I havent added anyting. Like u said I just have toI add the route command_right for eg: I prpute 64.80. I am not a cisco guru. so please help
ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip tacacs source-interface Serial0 no ip http server ! ! access-list 21 permit 66.155. access-list 21 permit 64.80. access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip 255.0.0.0 0.255.255.255 any log access-list 101 deny ip 224.0.0.0 7.255.255.255 any log access-list 101 deny ip host 0.0.0.0 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 66.153.114.48 0.0.0.15 any log access-list 101 permit ip any any tacacs-server host tacacs-server host 64. tacacs-server key I banner motd ^C
Walter Robers> > >I have a PIX 506. All my public IP starts with 66.153.... and then they
snipped-for-privacy@yahoo.com wrote on 14 Apr 2006 09:30:21 -0700:
Did you reset the PIX power? Or run clear xlate? You need to clear the existing translations in memory, and the arp cache. Had this happen last time I changed IPs on a 515.
Dan
In the config that you had shown, couldnt see any statics configured. If it is just normal browsing that your users want then you can can achieve this with the help of a simple NAT and global command.
The syntax is as follows:
nat (inside) 1 10.1.1.0 255.255.255.0 nat (dmz) 1 172.16.16.0 255.255.255.0
global global (outside) 1 - (in case you want to hide the traffic behind the outside interface) global (outside) 1 192.168.1.20-192.168.1.200 netmask 255.255.255.0(in case you have to use more than1 ip address to hide)
I would recommend using the about formats using NATs and globals. Statics are more useful in case you want to configure one to one NAT for servers inside your DMZ.Example, let us say you have a webserver and someone wants to reach your site, statics is what you have to use.
Hope this helps.
James
Spack wrote:
The configuration that smbusa2002 showed (in another part of the thread) was the configuration for an IOS router, not for a PIX. You can tell by the "ip classless" statement, which is not valid for any PIX release to date.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.