November 19, 2008 02:27am pst

1. batry_boy 632,921
2. lrmoore 520,600
3. PeteLong 141,217
4. Voltz-dk 120,870
5. MrHusy 120,045
6. mkielar 107,219
7. JFrederic... 103,500
8. Cyclops3... 98,738
9. Pugglewu... 73,677
10. _jesper_ 65,025
11. harbor235 50,640
12. rsivanandan 49,505
13. grblades 46,350
14. raptorjb007 44,800
15. nodisco 40,900
16. arnold 40,323
17. ck459 39,525
18. 2PiFL 35,575
19. RPPreacher 35,046
20. Jay_Gridley 34,935
21. from_exp 34,120
22. mabutterfi... 33,425
23. MikeKane 32,090
24. clearacid 31,205
25. naughton 28,380

1. lrmoore 2,467,881
2. batry_boy 1,001,045
3. rsivanandan 352,134
4. grblades 349,235
5. PeteLong 328,058
6. nodisco 277,487
7. calvinetter 254,590
8. MrHusy 241,746
9. Voltz-dk 228,809
10. Cyclops3... 215,644
11. JFrederic... 160,500
12. harbor235 121,650
13. tim_holman 120,177
14. carribeant... 108,132
15. mkielar 107,219
16. keith_ala... 105,619
17. _jesper_ 86,525
18. Pugglewu... 73,677
19. RPPreacher 73,023
20. stressedo... 60,512
21. td_miles 60,417
22. pruecons... 57,463
23. charan_j... 55,118
24. jjoseph_x 46,722
25. billwharton 45,258

03.26.2007 at 09:29AM PDT, ID: 22472789

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.6

LAN subnet to DMZsubnet access with PIX 515E

Asked by ioglyphics in Cisco PIX Firewall

Tags: pix, untranslate_hits

I can not reach host in my DMZ from my LAN. We had multi honed Windows Web Server. I just took over the network and was told by the previous Admin that this could create a loop. I am not familiar with PIX at all so I am putting my access list, ip , and NAT info here to be analyzed by the experts here. Please advise???!
I searched and found what seemed like the solution from another member here but I am just not certain as there was no response from the member to the expert saying that his solution worked.
It appears to me that there is no entry to NAT from the subnet of my DMZ 192.168.2.0 to my LAN subnet 192.168.1.0.

MatrixFW1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Access_in; 24 elements
access-list Access_in line 1 extended permit icmp any host 67.103.180.198 (hitcnt=1560) 0x1c983445
access-list Access_in line 2 extended permit ip any host 67.103.180.198 (hitcnt=10523) 0x16c28239
access-list Access_in line 3 extended permit tcp any host 67.103.180.198 eq www (hitcnt=0) 0xcd121af
access-list Access_in line 4 extended permit tcp any host 67.103.180.198 eq https (hitcnt=0) 0x61586a17
access-list Access_in line 5 extended permit tcp any host 67.103.180.198 eq smtp (hitcnt=0) 0x5dc2e4ff
access-list Access_in line 6 extended permit tcp any host 67.103.180.197 eq www (hitcnt=350) 0x23a82c60
access-list Access_in line 7 extended permit tcp any host 67.103.180.197 eq smtp (hitcnt=9075) 0x17351e51
access-list Access_in line 8 extended permit tcp any host 67.103.180.197 eq pop3 (hitcnt=2) 0x42d2e53a
access-list Access_in line 9 extended permit tcp any host 67.103.180.197 eq https (hitcnt=2723) 0x8dcaa782
access-list Access_in line 10 extended permit tcp any host 67.103.180.197 eq imap4 (hitcnt=3) 0x9757a055
access-list Access_in line 11 extended permit tcp any host 67.103.180.198 eq ssh (hitcnt=0) 0xe141a612
access-list Access_in line 12 extended permit tcp any host 67.103.180.197 eq ssh (hitcnt=31) 0x131caa47
access-list Access_in line 13 extended permit tcp any host 67.103.180.197 eq pptp (hitcnt=14) 0x92ca501b
access-list Access_in line 14 extended permit gre any host 67.103.180.197 log informational interval 300 (hitcnt=82) 0x98c12557
access-list Access_in line 15 extended permit esp any host 67.103.180.197 log informational interval 300 (hitcnt=0) 0xe265760b
access-list Access_in line 16 extended permit udp any host 67.103.180.197 eq isakmp (hitcnt=0) 0x7f25ba14
access-list Access_in line 17 extended permit tcp any host 67.103.180.198 (hitcnt=0) 0xb7557f96
access-list Access_in line 18 extended permit udp any host 67.103.180.198 (hitcnt=0) 0xc14ee5bb
access-list Access_in line 19 extended permit udp any host 67.103.180.197 (hitcnt=2627) 0x218a7883
access-list Access_in line 20 extended permit tcp any host 67.103.180.198 eq domain (hitcnt=0) 0x12753803
access-list Access_in line 21 extended permit tcp any host 67.103.180.197 eq domain (hitcnt=0) 0x294dbec5
access-list Access_in line 22 extended permit udp any host 67.103.180.198 eq domain (hitcnt=0) 0xb17f8e59
access-list Access_in line 23 extended permit udp any host 67.103.180.197 eq domain (hitcnt=0) 0x9f49c99f
access-list Access_in line 24 extended permit icmp any host 67.103.180.197 (hitcnt=997) 0x591185cb
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
MatrixFW1# show nat

NAT policies on Interface inside:
match ip inside host 192.168.1.101 outside any
static translation to 67.103.180.197
translate_hits = 33494, untranslate_hits = 22697
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (67.103.180.195)
translate_hits = 234668, untranslate_hits = 14019
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1758, untranslate_hits = 11

NAT policies on Interface DMZ:
match ip DMZ host 192.168.2.42 outside any
static translation to 67.103.180.198
translate_hits = 2096, untranslate_hits = 12108
match ip DMZ 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 2 (67.103.180.196)
translate_hits = 0, untranslate_hits = 0
match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0Start Free Trial

Keywords: LAN subnet to DMZsubnet access wit…

	Title
1	Problems with CISCO PIX 506E Confi…
2	VPN to pix 506e NAT issue
3	Cisco PIX 501 VPN ono-to-one NA…
4	PIX
5	Nat on the the a Cisco PIX
6	Can someone verify my PIX 501 con…

Loading Advertisement...

20081112-EE-VQP-42

LAN subnet to DMZsubnet access with PIX 515E

Asked by ioglyphics in Cisco PIX Firewall

Tags: pix, untranslate_hits

About this solution