PIX 501 NAT config

rodrigo2673 · ‎10-06-2007

Hi,

I hope you can help me since I'm having problems configuring my PIX 501. I have set e0 and e1 static ip addresses and they both comm. with their own segments. HOwever, I can't comm. from e1 through e0.

I've set in both NAT (inside) 0 0 0 and outside as well. There are no packet going out from any of both nics.

Please, can you help?

regadrs,

Rod

JORGE RODRIGUEZ · ‎10-06-2007

Rodrigo,

Can you post config again, the one attached is not legible, from pix do "show run"

copy and paste in notepad.

if you cannot pass traffic from inside towards outside if becasue you probably

need to enable global PAT and instruc pix that any traffic from inside passing through e0 will be PATed or NATed. If this is indeed the problem you can simply enable global NAT.

global (outside) 1 interface

Or

say if you have 10 available outside ip addresses and use the block as a global NAT pool you could do:

global (outside) 1 10.10.10.1-10.10.10.9 "global NAT pool"

global (outside) 1 10.10.10.10 "sigle gobal PAT "

for communicating from e0 or oustide to inside use static NAT and acl to permit traffic from outside to inside.

Rgds

Jorge

Jorge Rodriguez

rodrigo2673 · ‎10-07-2007

Sure!

Sorry, I didn't realize how bad it was. I'll put it here:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 e0 security10

nameif ethernet1 e1 security99

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd CRA9.3/nTx371PLg encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type icmp_traffic

icmp-object echo-reply

icmp-object source-quench

icmp-object unreachable

icmp-object time-exceeded

access-list PERMIT_IN permit icmp any any object-group icmp_traffic

access-list no-nat permit ip 192.168.1.0 255.255.255.0 any

access-list no-nat permit ip 83.244.174.208 255.255.255.240 any

access-list no-nat permit ip 83.244.174.208 255.255.255.240 192.168.1.0 255.255.

255.0

pager lines 24

mtu e0 1500

mtu e1 1500

ip address e0 2.2.2.2 255.255.255.0

ip address e1 1.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.240 e0

pdm logging informational 100

pdm history enable

arp timeout 14400

global (e0) 1 interface

global (e1) 1 interface

static (e0,e1) 83.244.174.208 192.168.1.0 netmask 255.255.255.240 0 0

<--- More --->

static (e1,e0) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0

route e0 0.0.0.0 0.0.0.0 83.244.174.210 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 e1

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 4.4.4.0 255.255.255.0 e0

telnet 1.1.1.0 255.255.255.0 e1

telnet timeout 5

<--- More --->

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:7a19dc61cf2cb837c3270b5981f1be45

: end

thank you in advance

Rod.

rodrigo2673 · ‎10-07-2007

Jorge,

Im a little confused on the NAT and PAT but this is what happens when I put the commnad.

e0=2.2.2.2 =>outside

e1=1.1.1.1 =>inside

pixfirewall(config)# global (e0) 1 1.1.1.1

Global 1.1.1.1 will be Port Address Translated

pixfirewall(config)# 105: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 se

q=2304 length=40

106: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=2560 length=40

107: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=2816 length=40

108: ICMP echo-request from e1:1.1.1.2 to 2.2.2.2 ID=512 seq=3072 length=40

that's the result of the icmp debug. However, even though it sees the packets on the client side it times out also on the PIX.

thanks,

Rod

JORGE RODRIGUEZ · ‎10-07-2007

Rod, a bit of an odd configuration as one usually expect to configure e0 as "outside"

interface and e1 as "inside" interface, one have to flip the switch to think ther other

way around, I would suspect since you are no passing outbouond traffic through outside interface that this pix is not in production, if this is the case I would wipe out complete config and start from scratch and do it right with "e0 name outside" and "e1 name inside",

since your config is very small it should not take that long, or if you want to leave

it as such we can still troubleshoot. Also your e1 outside interface IP of 1.1.1.1/24

is not on the same IP block where you default route to 83.244.174.210, normally pix outside

interface should be in the same 83.244.174.0 network. Is your external interface sort

of connecting to a DSL or cablemodem line where you get DHCP from ISP? can you elaborate

on the external connection?

On another note you don't have nat inside configured, with two interface inside outside.

no nat, you have default route mistaken, before you try these commands, from the

pix can you ping 83.244.174.210 ? if not correct with bellow defualt route.

With nat (e0) 0 2.2.2.0 255.255.255.0 will let inside IP addresses be recognized

on the outside network and inside IPs start outbound connections.

Try these :

nat (e0) 0 2.2.2.0 255.255.255.0

no route e0 0.0.0.0 0.0.0.0 83.244.174.210 1

route e1 0.0.0.0 0.0.0.0 83.244.174.210 1

Jorge Rodriguez