Ping and alternate solution to achieve the same task

If I have got these 4 servers in inside LAN :

192.168.1.251
192.168.1.252
192.168.1.253
192.168.1.254

I have got this media server 192.168.101.204 in DMZ area.

If I want the media server in DMZ area (192.168.101.204) to be able to ping these 4 servers only, which reside inside LAN , and vise versa

I can do this :

static (inside,dmz) 192.168.1.251 192.168.101.251 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.252 192.168.101.252 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.253 192.168.101.253 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.254 192.168.101.254 netmask 255.255.255.255 0 0


access-list 121 permit icmp host 192.168.101.204 host 192.168.101.251
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.252
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.253
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.254

access-list 150 permit icmp host 192.168.101.251 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.252 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.253 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.254 host 192.168.101.204

access-group 121 in interface dmz
access-group 150 in interface inside

If I want to do in alternate way, can I do it by using dynamic mapping ?

If I want to do in alternate way, can I do it by using dynamic mapping ?

Sorry but i don't fully understand the question ?

Static commands must be used in order for traffic from low to high interfaces to communicate. To work the other way (i.e. inside to outside) you just need a NAT in place and the necessary access rules.

If you setup the Static's as per your example, this will also allow the traffic to flow the otherway without the Global/NAT keywords being used.

Cheers

Sorry but i don't fully understand the question ?

What i meant to say, can we achieve (accomplish) the same task, with different configuration ?
I hope you get where is my point

I still beleive that you will need to configure the Pix in this manor to get traffic from the low interface (external) to the high interface (internal). In order to acheive this you need to use a Static Command.

In order to achieve this you need to use a Static Command.

1- You meant the static command that I have used in my configuration ?
That means if i want to do in dynamic natting it is infeasible

2- When I tried to use private email I received this error:
Failed sending email :: PHP ::
DEBUG MODE
Line : 277
File : /home/firewall/public_html/includes/emailer.php


3- What is the PIX command that can be used to do the same job as cls for a cisco router ?

Regards

1- You meant the static command that I have used in my configuration ?
That means if i want to do in dynamic natting it is infeasible

Dynamic natting will only work from inside to outside. For traffic to flow from Outside to Inside you have to use the Static configuration. You really wouldn't want to do a Dynamic from Outside to Inside anyway because you would be publishing servers so the translations would need to be fixed to ensure the external IP Address went to the correct internal IP Address.

To configure the Dynamic from Inside to Outside you would need to use the global and nat keywords.

e.g.

[code]global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 - This says NAT any address on the inside

2- When I tried to use private email I received this error:
Failed sending email :: PHP ::
DEBUG MODE
Line : 277
File : /home/firewall/public_html/includes/emailer.php

There is an issue with this on the website, the webmasters are aware of it but at the moment all time is being spent on the Lab so it can get released very soon

3- What is the PIX command that can be used to do the same job as cls for a cisco router ?

Didn't know that there was a cls command for cisco routers ?

Cheers

Wayne