02-27-2009 04:23 AM - edited 03-11-2019 07:58 AM
Hi
We have one Pix sitting as f/w for our servers. I now want to configure another pix, whose outside interface is on the same subnet as the inside interface of the first Pix. The second Pix will be infront of our LAN, so you can consider the servers to be in a DMZ. the outside Pix is working fine, so i dont really want to touch that too much.
I have setup the second Pix pretty much the same as the first, however, I cannot seem to ping between dmz and LAN. With the same setup on the first pix, i can ping between the internet and dmz.
The only difference is, that the outside Pix has Natting, and i want to avoid it on the inside one, although if it is needed, then that is fine.
Internet --- Pix1 ---- Servers --- Pix2 ---- LAN
Any ideas of where i should look first ?
Thank you in advance.
Reagrds
Ali
03-03-2009 04:58 AM
Ali
Okay i see where i went wrong. I forgot that what we are calling the DMZ is not actually another interface on inside pix but still the outside interface. So when i asked you to add that other NAT statement that would indeed have created confusion. Apologies for that.
The reason i suspect that just adding my statement didn't work is because the outside pix does not how to route back to 192.168.5.0/24. So you could either
1) remove your existing nat & global statements, add the following
static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0
and make sure that the outside pix has a route back to the 192.168.5.0/24 network via the outside interface of the inside pix
OR
we could try policy NAT ie.
access-list inside_to_dmz permit ip 192.168.5.0 255.255.255.0 192.168.105.0 255.255.255.0
** static (inside,outside) 192.168.5.0 access-list inside_to_dmz
** Note - i don't have a pix/ASA to test on. The above syntax is not quite right - it could be
static (inside,outside) 192.168.5.0 255.255.255.0 access-list inside_to_dmz
or it might be some other combination. Apologies for being vague but i haven't confugured this in a while and i've forgotten the exact syntax.
Jon
03-03-2009 07:07 AM
Jon
Thanks, i tried both methods, but wasnt successful with either. I am attaching the pix config for Pix1. (19x.yyy.zzz is a public IP range)
Which interface does the Static Route from Pix1 to 192.168.5.0/24 come from, is it inside or outside ? It is a little confusing, because in this case, the traffic from Pix1 travels on the inside of the f/w to Pix2 through the Outside interface of Pix2, but doesnt necessarily go through the inside interface of Pix1, am i right in thinking this is so ?
So i tried both methods and wasnt successful, however the Packet tracer seems to show that there is communication between both 192.168.5.0/24 and 192.168.105.0/24, i have tried different ports and different protocols.
Thanks for your help
03-03-2009 07:28 AM
Ali
The key parts of the config are -
1) Your Natting
global (outside) 1 interface
global (outside) 3 19x.yyy.zzz.9 netmask 255.255.255.255
global (inside) 1 interface
static NATTING here between inside and outside for all hosts on 1-2-1
Apart from the fact you have global statements with no corresponding nat statements there is no natting for the 192.168.5.0/24 IP addresses. The easiest way to fix this is
nat (inside) 4 192.168.5.0 255.255.255.0
global (outside) 4 interface
HOWEVER - because i can't make much sense of your NAT config on this firewall you need to be very careful. I can't guarantee it won't break anything. What you do need to do is ensure that 192.168.5.x addresses are translated to public IP(s).
Is there a chance some of the NAT config is missing ?
Also the 1-2-1 NAT's, are these all for 192.168.105.x servers ?
2) Routing -
route outside 192.168.5.0 255.255.255.0 192.168.105.9 2
This route should read -
route inside 192.168.5.0 255.255.255.0 192.168.105.9 2
Jon
03-09-2009 04:18 AM
Hi Jon
Sorry its been a few days, i had taken time off. Just to let you know, that I managed to get it working thanks to your help throughout.
Essentially what i did, was to use the points you gave me in your replies, and created double-natting, so the same way i got the servers in the DMZ talking to the outside, i got the LAN hosts talking to the outside, albeit using static IPs, double natting them all the way to the internet
I would just like to say that i am really glad i bumped into you on this forum as you have really helped me out. I am by no means an expert and your help has really been appreciated.
Many thanks
Regards
Ali
03-09-2009 04:47 AM
Ali
Glad you got it working and glad to have been of help.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide