topic Re: PIX 501 NAT in Network Security

PIX 501 NAT

mikefunk — Mon, 11 Mar 2019 15:17:19 GMT

I'm having an issue where I can sit on the PIX and ping everything on the internal network. I can ping everything I've allowed on the external network as well. However, I can't get traffic across the NAT to ping. Here's the config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname another-fw1

access-list outside_access_in permit ip host NAMED-SOMETHING any

access-list outside_access_in permit icmp object-group icmp-sources any

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 9.9.9.9 255.255.255.224

ip address inside 172.16.41.100 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 9.9.9.10 172.16.42.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 9.9.9.8 1

route inside 0.0.0.0 0.0.0.0 172.16.41.200

Lame Layout Example

ROUTER -> PIX -> SWITCH -> DEVICES

If I changed the NAT'd devices gateway to the PIX, then it works fine. BTW: The gateway isn't mine and I'm sure there isn't any type of route pointing back to me. I'm typically coming in from an external IP and I guess that my traffic is getting pushed out another direction once it hits their network.

So, would Source NAT work? Never used it.. So, I have no idea.

Re: PIX 501 NAT

roshan.maskey — Sat, 11 Apr 2009 11:51:05 GMT

Hi Mike,

The NAT configuration you have done is okey. But the routing part seems to be giving you trouble.

You have configured two default routes:

route outside 0.0.0.0 0.0.0.0 9.9.8.1

route inside 0.0.0.0 0.0.0.0 172.16.41.200

You are getting problem due to second default route pointed to 172.16.41.200

Please make the second route more specific(don't used default route) e.g if you have 172.16.20.0 network in inside section then use

route inside 172.16.20.0 255.255.255.0 172.16.41.200

Also see the translation and connection table

sh xlate

sh conn

Regards,

Roshan

Re: PIX 501 NAT

mikefunk — Sat, 11 Apr 2009 16:06:44 GMT

Thanks for the reply!!!

Sadly, I've tried that.. I've even removed the old inside route, saved the config, and rebooted the PIX.

It still produces this:

[ERR]route inside 172.16.41.0 255.255.255.0 172.16.41.200 1

Route already exists

Re: PIX 501 NAT

mikefunk — Sat, 11 Apr 2009 17:44:38 GMT

Without route to internal router

outside 0.0.0.0 0.0.0.0 12.52.0.33 1 OTHER static (What I added)

outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static (Shows by default since it's the interface)

inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static (Shows by default since it's the interface)

When I ping I get:

No route to 172.16.42.1 from "Where I'm at" on the PIX debug log...

When I add the 172.16.x.x route

outside 0.0.0.0 0.0.0.0 9.9.9.8 1 OTHER static

outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static

inside 172.16.0.0 255.255.0.0 172.16.41.200 1 OTHER static

inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static

When I ping now... I don't get the "No Route" but I don't get replies either.

Reminder, I can ping everything on the internal and external network from the PIX. However, Outisde in and Inside out doesn't work even though it's allowed...