topic PIX 515 : routing issue + NAT in Network Security

PIX 515 : routing issue + NAT

IT-Volubill — Fri, 21 Feb 2020 11:43:39 GMT

Hi all,

I have a routing + NAT issue with my PIX 515 (v7.2.4).

Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.

here is my conf :

PIX Version 7.2(4)

interface Ethernet0

nameif outside

security-level 0

ip address Public_IP 255.255.255.248

ospf cost 10

interface Ethernet1

description Office LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.10.254 255.255.255.0

ospf cost 10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface VoIP-inside

ip verify reverse-path interface DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any inside

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 203.XXX.XXX.XXX 1

route inside 10.0.100.0 255.255.252.0 10.10.10.29 1

Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.

When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...

Thanks

Best Regards,

Laurent

Re: PIX 515 : routing issue + NAT

Herbert Baerten — Tue, 13 Oct 2009 05:21:45 GMT

Laurent,

can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?

Can you also include the packet-tracer output please.

tnx

Herbert

Re: PIX 515 : routing issue + NAT

IT-Volubill — Tue, 13 Oct 2009 09:10:32 GMT

Hi,

I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.

Example :

Inside network : 10.10.10.0/24

PIX inside : 10.10.10.254

IP of my router in the inside network : 10.10.10.29

Subnetwork behind my router : 10.0.100.0/24

To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping google.com for example.

If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping google.com not working).

As i have ios v7.2.4, i follow this guide : http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3 but enabling intra-interface communication is not sufficient.

Regards,

Laurent

Re: PIX 515 : routing issue + NAT

dhananjoy chowdhury — Tue, 13 Oct 2009 09:24:27 GMT

Hi,

If its feasible, add a static route for reaching 10.0.100.0 pointing towards 10.10.10.29, on each system on the subnet 10.10.10.0.

Re: PIX 515 : routing issue + NAT

Herbert Baerten — Tue, 13 Oct 2009 09:35:18 GMT

Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use 10.10.10.29 as your default gw, so the inside-to-inside traffic does not pass the firewall.

However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).

Otherwise, I guess you would need something like:

no global (inside) 1 interface

global (inside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 outside

If that does not help, could you please provide the packet-tracer output (from the CLI) ?