Re: Cannot access NATed devices thru Linux Router after PIX reco

bbeck · ‎05-14-2003

I am trying to verify where the problem is coming from, either our PIX 515 (6.2.2) or our Linux 7.2 Proxy server (acts as router also). The configuration on the old PIX was done thru telnet and I'm trying to recreate it thru PDM on the new PIX. Here's what we've got

Old Network 1 - Sprint Internet to Cisco 2620 to PIX 515 to DMZ hub (10.1.1..x)

New Network 2 - AT*T Internet to Cisco 3640 to PIX 515 (2nd) to DMZ hub (10.1.1..x)

Both PIXes NAT to Internal servers on 10.1.2.x Internal Network

Linux 7.2 server is the only connection from 1.x and 2.x network (running Squid, Zebra, & RIPD + other apps). 10.2.1.2 (inside route for both PIX) & 10.2.2.2 addr

Accessing servers by IP address on Network 1 works to 1.x and 2.x networks

Accessing servers by IP address on Network 2 works on 1.x network only

Here is the important config lines that pertain to this situation (I've changed some of the IP Addresses to be generic)

name 10.2.2.209 DistSite

access-list outside_access_in permit tcp any host 3.3.3.155 eq https

access-list outside_access_in permit icmp any any

pdm location DistSite 255.255.255.255 inside

global (outside) 1 3.3.3.131-3.3.3.137

nat (inside) 1 10.2.1.2 255.255.255.255 0 0

nat (inside) 1 10.2.2.2 255.255.255.255 0 0

static (inside,outside) 3.3.3.155 DistSite netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

rip inside passive version 2

route outside 0.0.0.0 0.0.0.0 3.3.3.129 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

Some of the lines may not be necessary, I just started adding lines that I noticed were missing in the new config from the old config (RIP Inside..., access list.. ICMP). As I said, I can come thru the PIX to get to my NATted VPN box on the 10.1.1.x, but not to any of the NAT's on the 10.1.2.x network that are required to go thru the Linux server, however, it works just fine on the Network 1 PIX (we are converting our network from Sprint to AT&T so I have to get this working by the end of the month). Thanks in advance.

mostiguy · ‎05-14-2003

What can't you do? From the internet you cannot get thru to the pix to anywhere inside except for that which is permitted by your access list outside_access_in. I don't understand by what you mean by " not to any of the NAT's on the 10.1.2.x network". Do you mean they cannot make connections to the internet?

bbeck · ‎05-14-2003

From the internet, I cannot get to any devices on the 10.1.2.x network. I can get to the internet from the 10.1.2.x network and I can get to devices on the 10.1.1.x network from the internet.

From the internet I should be able to go to https://3.3.3.155 which is NATted to 10.1.2.209, but I cannot. However, I can connect to my VPN box which is at 3.3.3.158 and NATted to 10.1.1.207, so the pix is passing traffic thru, just not thru the additional router (Linux).

I have recreated the config file from our old system (at least as far as I can tell) in which this layout currently works (using a different outside addr because it is thru a different provider).

I have noticed one new oddity since my original post. I can't ping anything on the 2.x network from either PIX except my FTP server, which is pingable from both PIXes. Therefore it looks like both PIXes are able to go thru the Linux server, at least when directly connected to the PIX. Thanks.

bbeck · ‎05-14-2003

I've also logged transactions from the pix and I am recieving the proper message when I try to connect over the internet (I think). However, it never pulls up the page. I am sure that this should work because it still works fine over our old internet connection following the same procedure with the old public ip addr.

PIX-6-302013 Built inbound TCP connection 5760 for outside:67.213.43.123/1633 (67.213.43.123/1633) to inside 10.1.2.209/443 (3.3.3.155/443)

mostiguy · ‎05-15-2003

Is that log snip from the new or old pix?

If it is from the new pix, do a traceroute to 67.213.43.123 from the 10.1.2.209 host. I think the problem could be is that the 10.1.2.209 host's default gateway is to the old pix, so what happens is that conns can come in thru the new pix, but the replies all go out the old pix. Are you sure that internal host is routing properly?

Cannot access NATed devices thru Linux Router after PIX reconfig.