[fw-wiz] Pix 525 NAT!

From: Seyed Hossein hamidi (shhamidi_at_qomedu.ir)
Date: 02/15/05

  • Next message: Hughes, Chris: "RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 15 Feb 2005 14:23:40 +0330
    
    

    Hi To all
    excuse me i try to explain my network.
    we have 5 wireless access point beetween 5 zone( main zone is zone0)
    and my firewall is in zone0.
    we want deny bad access from each zone to other zone.
    i create vlan and zone0,zone1,zone2,zone3,zone4,zonef in ethernet1.
    and pix is now work fine. we add the my goverment network to this
    configuration we can add another zone(zoned) or use the ethernet0
    for this network.
    this network have a cisco 800 router with 1 port 10mb/s ethernet(4
    port hub) and one ATM(my atm connect to upper network).
    i add the vlan zoned to ethernet1 of pix and enable rip routing on
    it and see the route table of router on pix.
    i use the zone0 computer for text for example 192.168.0.140 and can
    ping 10.68.146.1(ethernet0 of gov router) and aslo can ping
    172.16.2.42 (atm0 of gov router.) but we must use the 10.68.16.2 web
    server for gov application and in this situation can't see the outer
    network of 800 router.
    i can access from pix console all network and can ping 10.68.16.2!
    but from zone0 users i can access ?
    why ? pix doing nat but ... ?
    i add the router config and pix525 config.
    and output of routing table of each device is attached.

    thank you.
    Seyed Hossein Hamidi

    *************PIX CONFIG :*****************

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet1 vlan20 physical
    interface ethernet1 vlan10 logical
    interface ethernet1 vlan11 logical
    interface ethernet1 vlan12 logical
    interface ethernet1 vlan13 logical
    interface ethernet1 vlan14 logical
    interface ethernet1 vlan15 logical
    interface ethernet1 vlan50 logical
    nameif ethernet0 zone00 security99
    nameif ethernet1 inside security100
    nameif gb-ethernet0 intf2 security4
    nameif gb-ethernet1 intf3 security6
    nameif vlan10 zone0 security90
    nameif vlan11 zone1 security80
    nameif vlan12 zone2 security70
    nameif vlan13 zone3 security60
    nameif vlan14 zone4 security50
    nameif vlan15 zonef security40
    nameif vlan50 zoned security20

    hostname Pix525
    domain-name ciscopix.com
    clock timezone IRST 3 30
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list zone00 permit tcp any any
    access-list zone00 permit udp any any
    access-list zone00 permit icmp any any
    access-list zone00 permit icmp any any echo
    access-list zone00 permit icmp any any echo-reply
    access-list inside permit tcp any any
    access-list inside permit udp any any
    access-list inside permit icmp any any
    access-list inside permit icmp any any echo
    access-list inside permit icmp any any echo-reply
    access-list zone0 permit tcp any any
    access-list zone0 permit udp any any
    access-list zone0 permit icmp any any
    access-list zone0 permit icmp any any echo
    access-list zone0 permit icmp any any echo-reply
    access-list zone0 deny tcp any any gt 1024
    access-list zone0 deny udp any any gt 1024
    access-list zone1 permit tcp any any eq 1503
    access-list zone1 permit tcp any any eq h323
    access-list zone1 permit icmp any host 192.168.1.15
    access-list zone1 permit udp any any eq 1433
    access-list zone1 permit udp any any eq 1434
    access-list zone1 permit tcp any any eq 1434
    access-list zone1 permit tcp any any eq 1433
    access-list zone1 permit tcp any any eq 3389
    access-list zone1 permit udp any any eq 3389
    access-list zone1 deny tcp any any gt 1024
    access-list zone1 deny udp any any gt 1024
    access-list zone1 permit tcp any any
    access-list zone1 permit udp any any
    access-list zone1 permit icmp any any
    access-list zone2 permit tcp any any eq 1503
    access-list zone2 permit tcp any any eq h323
    access-list zone2 permit icmp any host 192.168.2.15
    access-list zone2 permit udp any any eq 1433
    access-list zone2 permit udp any any eq 1434
    access-list zone2 permit tcp any any eq 1434
    access-list zone2 permit tcp any any eq 1433
    access-list zone2 permit tcp any any eq 3389
    access-list zone2 permit udp any any eq 3389
    access-list zone2 deny tcp any any gt 1024
    access-list zone2 deny udp any any gt 1024
    access-list zone2 permit tcp any any
    access-list zone2 permit udp any any
    access-list zone2 permit icmp any any
    access-list zone3 permit tcp any any eq 1503
    access-list zone3 permit tcp any any eq h323
    access-list zone3 permit icmp any host 192.168.3.15
    access-list zone3 permit udp any any eq 1433
    access-list zone3 permit udp any any eq 1434
    access-list zone3 permit tcp any any eq 1434
    access-list zone3 permit tcp any any eq 1433
    access-list zone3 permit tcp any any eq 3389
    access-list zone3 permit udp any any eq 3389
    access-list zone3 deny tcp any any gt 1024
    access-list zone3 deny udp any any gt 1024
    access-list zone3 permit tcp any any
    access-list zone3 permit udp any any
    access-list zone3 permit icmp any any
    access-list zone4 permit tcp any any eq 1503
    access-list zone4 permit tcp any any eq h323
    access-list zone4 permit icmp any host 192.168.4.15
    access-list zone4 permit udp any any eq 1433
    access-list zone4 permit udp any any eq 1434
    access-list zone4 permit tcp any any eq 1434
    access-list zone4 permit tcp any any eq 1433
    access-list zone4 permit tcp any any eq 3389
    access-list zone4 permit udp any any eq 3389
    access-list zone4 deny tcp any any gt 1024
    access-list zone4 deny udp any any gt 1024
    access-list zone4 permit tcp any any
    access-list zone4 permit udp any any
    access-list zone4 permit icmp any any
    access-list zonef permit tcp any any eq 1503
    access-list zonef permit tcp any any eq h323
    access-list zonef permit icmp any host 192.168.10.15
    access-list zonef permit udp any any eq 1433
    access-list zonef permit udp any any eq 1434
    access-list zonef permit tcp any any eq 1434
    access-list zonef permit tcp any any eq 1433
    access-list zonef permit tcp any any eq 3389
    access-list zonef permit udp any any eq 3389
    access-list zonef deny tcp any any gt 1024
    access-list zonef deny udp any any gt 1024
    access-list zonef permit tcp any any
    access-list zonef permit udp any any
    access-list zonef permit icmp any any
    access-list zoned permit tcp any any
    access-list zoned permit udp any any
    access-list zoned permit icmp any any
    access-list zoned permit icmp any any echo
    access-list zoned permit icmp any any echo-reply
    pager lines 24
    logging on
    logging timestamp
    logging trap debugging
    logging history debugging
    logging host zone0 192.168.0.10 6/1468
    mtu zone00 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    no ip address zone00
    ip address inside 192.168.250.105 255.255.255.0
    no ip address intf2
    no ip address intf3
    ip address zone0 192.168.0.15 255.255.255.0
    ip address zone1 192.168.1.15 255.255.255.0
    ip address zone2 192.168.2.15 255.255.255.0
    ip address zone3 192.168.3.15 255.255.255.0
    ip address zone4 192.168.4.15 255.255.255.0
    ip address zonef 192.168.10.15 255.255.255.0
    ip address zoned 10.68.146.15 255.255.255.0
    ip verify reverse-path interface zone00
    ip verify reverse-path interface inside
    ip verify reverse-path interface zone0
    ip verify reverse-path interface zone1
    ip verify reverse-path interface zone2
    ip verify reverse-path interface zone3
    ip verify reverse-path interface zone4
    ip verify reverse-path interface zonef
    multicast interface zone00
    multicast interface zone0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address zone00
    no failover ip address inside
    no failover ip address intf2
    no failover ip address intf3
    no failover ip address zone0
    no failover ip address zone1
    no failover ip address zone2
    no failover ip address zone3
    no failover ip address zone4
    no failover ip address zonef
    no failover ip address zoned
    pdm location 192.168.0.0 255.255.255.0 zone0
    pdm location 192.168.0.10 255.255.255.255 zone0
    pdm location 10.68.146.0 255.255.255.0 zoned
    pdm location 10.68.16.0 255.255.255.0 zoned
    pdm location 172.16.0.0 255.255.0.0 zoned
    pdm history enable
    arp timeout 14400
    static (zone1,zone0) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0
    0
    static (zone2,zone0) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0
    0
    static (zone3,zone0) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0
    0
    static (zone4,zone0) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0
    0
    static (zone0,zone1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zone2,zone1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0
    0
    static (zone3,zone1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0
    0
    static (zone4,zone1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0
    0
    static (zone1,zone2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0
    0
    static (zone0,zone2) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zone3,zone2) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0
    0
    static (zone4,zone2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0
    0
    static (zone1,zone3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0
    0
    static (zone2,zone3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0
    0
    static (zone0,zone3) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zone4,zone3) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0
    0
    static (zone1,zone4) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0
    0
    static (zone2,zone4) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0
    0
    static (zone3,zone4) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0
    0
    static (zone0,zone4) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zone0,zonef) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zone1,zonef) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0
    0
    static (zone2,zonef) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0
    0
    static (zone3,zonef) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0
    0
    static (zone4,zonef) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0
    0
    static (zonef,zone0) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    0 0
    static (zonef,zone1) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    0 0
    static (zonef,zone2) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    0 0
    static (zonef,zone3) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    0 0
    static (zonef,zone4) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    0 0
    static (zone0,zoned) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0
    0
    static (zoned,zone0) 10.68.146.0 10.68.146.0 netmask 255.255.255.0 0
    0
    access-group zone00 in interface zone00
    access-group inside in interface inside
    access-group zone0 in interface zone0
    access-group zone1 in interface zone1
    access-group zone2 in interface zone2
    access-group zone3 in interface zone3
    access-group zone4 in interface zone4
    access-group zonef in interface zonef
    access-group zoned in interface zoned
    rip zoned passive version 2
    route zoned 10.68.16.0 255.255.255.0 10.68.146.1 1
    route zoned 172.16.0.0 255.255.0.0 10.68.146.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 zone0
    snmp-server enable traps
    tftp-server zone0 192.168.0.140 config.txt
    no floodguard enable
    telnet timeout 1
    ssh 192.168.0.0 255.255.255.0 zone0
    ssh timeout 5
    management-access zone0
    console timeout 0
    terminal width 80
    *************Cisco800 CONFIG :*****************
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname SHAHR-CO
    !
    enable secret 5 XXXX
    !
    username SHAHR-CO password 7 XXX
    no ip subnet-zero
    no ip domain-lookup
    !
    !
    !
    !
    interface Ethernet0
    ip address 10.68.146.1 255.255.255.0
    no keepalive
    hold-queue 100 out
    !
    interface ATM0
    ip address 172.16.2.41 255.255.255.252
    no atm ilmi-keepalive
    pvc 1/1
    protocol ip 172.16.2.42 broadcast
    !
    dsl equipment-type CO
    dsl operating-mode GSHDSL symmetric annex A
    dsl linerate AUTO
    !
    router rip
    version 2
    network 10.0.0.0
    network 172.16.0.0
    no auto-summary
    !
    ip classless
    ip route 10.68.146.0 255.255.255.0 10.68.146.15
    ip route 192.168.0.0 255.255.0.0 10.68.146.15
    ip http server
    !
    !
    route-map t permit 10
    !
    !
    line con 0
    exec-timeout 120 0
    stopbits 1
    line vty 0
    access-class 1 in
    exec-timeout 120 0
    password 7 XXX
    login local
    length 0
    line vty 1 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    end
    *********Cisco800 Route Out And Trace :**************
    HAHR-CO#sh ip ro
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -
    BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
    inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route

    Gateway of last resort is not set

    172.16.0.0/16 is variably subnetted, 102 subnets, 2 masks
    R 172.16.1.176/30 [120/2] via 172.16.2.42, 00:00:04, ATM0
    R 172.16.1.168/30 [120/3] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.156/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.148/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.144/30 [120/3] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.140/30 [120/3] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.136/30 [120/3] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.128/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.252/30 [120/3] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.248/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.244/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.240/30 [120/2] via 172.16.2.42, 00:00:25, ATM0
    R 172.16.1.236/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.224/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.208/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.200/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.196/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.12.48/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.13.48/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.11.52/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.12.52/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.13.52/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.11.48/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.12.56/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.13.56/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.52/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.11.60/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.13.60/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.48/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.11.56/30 [120/1] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.12.32/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.1.44/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.13.32/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.2.44/30 [120/3] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.11.36/30 [120/2] via 172.16.2.42, 00:00:27, ATM0
    R 172.16.12.36/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.1.40/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.36/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    C 172.16.2.40/30 is directly connected, ATM0
    R 172.16.11.32/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.12.40/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.40/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.2.36/30 [120/3] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.11.44/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.44/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.1.32/30 [120/3] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.2.32/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.11.40/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.12.16/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.16/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.1.28/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.11.20/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.12.20/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.20/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.2.24/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.11.16/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.12.24/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.1.20/30 [120/2] via 172.16.2.42, 00:00:28, ATM0
    R 172.16.13.24/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.28/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.28/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.28/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.2.16/30 [120/3] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.24/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.4/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.4/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.4/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.8/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.4/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.8/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.2.4/30 [120/3] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.12/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.12/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.12/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.8/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.124/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.120/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.112/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.104/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.96/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.100.0/24 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.101.0/24 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.102.0/24 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.108/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.104/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.92/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.84/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.80/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.92/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.88/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.64/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.64/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.76/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.68/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.12.68/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.68/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.64/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.13.72/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.2.68/30 [120/3] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.76/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.1.64/30 [120/3] via 172.16.2.42, 00:00:00, ATM0
    R 172.16.11.72/30 [120/2] via 172.16.2.42, 00:00:00, ATM0
    10.0.0.0/24 is subnetted, 37 subnets
    R 10.68.78.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.74.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.72.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.70.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.68.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.64.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.84.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.104.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.100.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.98.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.126.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.124.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.122.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.120.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.118.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.112.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.14.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.10.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.2.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.26.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.24.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.20.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.16.0 [120/4] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.46.0 [120/2] via 172.16.2.42, 00:00:00, ATM0
    R 10.68.38.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.32.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.62.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.60.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.52.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.142.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.138.0 [120/2] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.134.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.128.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.148.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    C 10.68.146.0 is directly connected, Ethernet0
    R 10.68.144.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    R 10.68.160.0 [120/4] via 172.16.2.42, 00:00:01, ATM0
    S 192.168.0.0/16 [1/0] via 10.68.146.15

    SHAHR-CO#traceroute 10.68.16.2

    Type escape sequence to abort.
    Tracing the route to 10.68.16.2

    1 172.16.2.42 12 msec 8 msec 8 msec
    2 172.16.11.58 8 msec 8 msec 24 msec
    3 172.16.11.5 8 msec 8 msec 8 msec
    4 172.16.1.33 48 msec 16 msec 16 msec
    5 10.68.16.2 40 msec 20 msec 20 msec
    SHAHR-CO#

    ********* Pix Route ************
    Pix525# sh route
    zoned 10.68.2.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.14.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.16.0 255.255.255.0 10.68.146.1 1 OTHER static
    zoned 10.68.20.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.24.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.26.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.38.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.46.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.52.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.60.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.62.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.64.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.68.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.70.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.72.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.74.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.78.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.84.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.88.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.98.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.100.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.102.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.112.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.118.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.120.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.124.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.126.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.128.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.138.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.142.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 10.68.144.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.146.0 255.255.255.0 10.68.146.15 1 CONNECT static
    zoned 10.68.148.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 10.68.160.0 255.255.255.0 10.68.146.1 5 RIP
    zoned 172.16.0.0 255.255.0.0 10.68.146.1 1 OTHER static
    zoned 172.16.1.4 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.28 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.32 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.40 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.44 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.48 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.52 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.76 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.92 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.104 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.120 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.124 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.128 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.136 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.140 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.144 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.148 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.156 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.168 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.176 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.196 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.200 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.204 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.224 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.1.236 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.240 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.244 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.248 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.1.252 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.2.4 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.2.24 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.2.32 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.2.36 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.2.40 255.255.255.252 10.68.146.1 1 RIP
    zoned 172.16.2.44 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.2.68 255.255.255.252 10.68.146.1 4 RIP
    zoned 172.16.11.4 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.8 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.12 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.16 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.20 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.24 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.28 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.32 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.36 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.40 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.44 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.48 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.52 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.56 255.255.255.252 10.68.146.1 2 RIP
    zoned 172.16.11.60 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.64 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.68 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.72 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.76 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.80 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.84 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.88 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.92 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.96 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.104 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.108 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.11.112 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.4 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.8 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.12 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.16 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.20 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.24 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.28 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.32 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.36 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.40 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.48 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.52 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.56 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.64 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.12.68 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.4 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.8 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.12 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.16 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.20 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.24 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.28 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.32 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.36 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.40 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.44 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.48 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.52 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.56 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.60 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.64 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.68 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.13.72 255.255.255.252 10.68.146.1 3 RIP
    zoned 172.16.100.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 172.16.101.0 255.255.255.0 10.68.146.1 3 RIP
    zoned 172.16.102.0 255.255.255.0 10.68.146.1 3 RIP
    zone0 192.168.0.0 255.255.255.0 192.168.0.15 1 CONNECT static
    zone1 192.168.1.0 255.255.255.0 192.168.1.15 1 CONNECT static
    zone2 192.168.2.0 255.255.255.0 192.168.2.15 1 CONNECT static
    zone3 192.168.3.0 255.255.255.0 192.168.3.15 1 CONNECT static
    zone4 192.168.4.0 255.255.255.0 192.168.4.15 1 CONNECT static
    zonef 192.168.10.0 255.255.255.0 192.168.10.15 1 CONNECT
    static
    inside 192.168.250.0 255.255.255.0 192.168.250.105 1 CONNECT
    static
    Pix525#

     

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Hughes, Chris: "RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan"

    Relevant Pages

    • 3640 some sites slow....
      ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
      (comp.dcom.sys.cisco)
    • Re: 3640 some sites slow....
      ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
      (comp.dcom.sys.cisco)
    • Probleem with port forwarding
      ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
      (comp.security.firewalls)
    • need help with configuration
      ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
      (comp.security.firewalls)
    • need help with opening port
      ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
      (microsoft.public.win32.programmer.tapi)