07-05-2013 01:21 AM - edited 03-11-2019 07:07 PM
Hi Guys,
I got a problem where my HQ(private IP)unable to ping and access server with ip 10.45.x.42 reside at my branch.Both HQ and my Branch using private IP.My LAN using 2 IP Range.
LAN FW Exinda Router
10.45.x.0/19(old range)----->10.36.x.12----> 10.39.x.3 ----> 10.39.x.1----->Internet
&
10.36.x.0/16(New range)
Previously im using both IP Range in my network-object and i ask our provider to ping to my LAN but no reply.
Now the problem is from the HQ/provider cant ping to 10.45.x.0/19 it stuck at pix.
When i use packet-tracer i got this result.Seem it stuck at Nat.
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list net36
nat-control
match ip inside 10.45.x.0 255.255.224.0 Net any
dynamic translation to pool 1 (10.39.x.2 [Interface PAT])
translate_hits = 3185, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4dc4d38, priority=2, domain=nat-reverse, deny=false
hits=1782778, user_data=0x4d2e470, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.45.x.0, mask=255.255.224.0, port=0
Here is my config of network-object
object-group network NET_CLIENT
network-object 10.36.x.0 255.255.0.0
network-object 10.45.x.0 255.255.224.0
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
access-list net36 extended permit ip object-group NET_CLIENT any
access-list net36 extended permit tcp object-group NET_CLIENT any
access-list net36 extended permit udp object-group NET_CLIENT any
access-list net36 extended permit icmp object-group NET_CLIENT any
I really appreciate your help and advice
Solved! Go to Solution.
07-10-2013 11:53 PM
Hi,
I am still not quite sure about your setup.
You say that the HQ is connected to the PIX site through the ISPs network. The HQ network should be 10.22.x.x/yy. On the basis of your above PIX configuration this should be located behind the "outside" interface of the PIX.
Yet the logs you have posted above show traffic coming from public IP addresses and NOT the 10.22.x.x/yy so its hard to determine what the situation actually is and what NAT configuration to suggest.
If I were to purely go on the information given THEN for your HQ coming from subnet 10.22.x.x/yy to subnet 10.45.x.0/19 you would have to configure NAT0 between these networks.
Essentially the configuration would look something like this
access-list INSIDE-NAT0 remark NAT0/NONAT for Branch to HQ traffic
access-list INSIDE-NAT0 permit ip 10.45.x.0 255.255.224.0 10.22.x.x y.y.y.y
nat (inside) 0 access-list INSIDE-NAT0
This should essentially enable hosts from 10.22.x.x/yy subnet to connect directly to subnet 10.45.x.0/19 on their original IP addresses as far as your PIX configurations are concerned.
- Jouni
07-05-2013 04:39 AM
Hi,
It would be better to see the actual "packet-tracer" command and the complete output it gives.
Basically what the above states is that the traffic tested hits a different NAT rule in the other direction and because of this traffic will fail.
Can you provide us with the "packet-tracer" command and output
If you can, the NAT configuration would naturally help a lot also.
- Jouni
07-07-2013 07:03 PM
Hi Jouni,
I cant do the packet-tracer as the PIX already bypass by my superior.
As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443
*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.
===============
PIX Version 7.2(1)
!
hostname SD
names
dns-guard
!
interface Ethernet0
nameif Net
security-level 0
ip address 10.39.x.x 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.36.x.x 255.255.255.248
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.36.x.17
logging ftp-bufferwrap
mtu Net 1500
mtu inside 1500
ip verify reverse-path interface Net
ip verify reverse-path interface inside
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (Net) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group permit-all in interface Net
access-group permit-all in interface inside
route Net 0.0.0.0 0.0.0.0 10.39.x.x 1
route inside 10.36.0.0 255.255.0.0 10.36.x.x 1
route inside 10.45.x.0 255.255.224.0 10.36.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.36.x.142 255.255.255.255 inside
snmp-server location level 2
snmp-server contact Network
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 10.36.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
07-09-2013 09:43 AM
Anybody can teach me how I can accomplish multiple Internal IP that pingable from the outside ( HQ office ).
07-09-2013 09:49 AM
Hi,
The ICMP is coming from a public source IP address?
How is the HQ connected to this site that has the PIX firewall?
- Jouni
07-09-2013 04:45 PM
Hi Jouni,
My HQ with IP 10.22.x.x trying to ping a server with IP range of 10.45.x.0. Routing done at ISP level via IPVPN.
Once they traceroute from HQ it stuck at Router Public IP but if the PIX already bypass the flow of the traffic can pass through.
The old segment 10.36.x.x should remain in the PIX.How to allowed the new segments of ip 10.45.x.0 pingable from 10.22.x.x.? Any advice appreciated.
07-10-2013 11:53 PM
Hi,
I am still not quite sure about your setup.
You say that the HQ is connected to the PIX site through the ISPs network. The HQ network should be 10.22.x.x/yy. On the basis of your above PIX configuration this should be located behind the "outside" interface of the PIX.
Yet the logs you have posted above show traffic coming from public IP addresses and NOT the 10.22.x.x/yy so its hard to determine what the situation actually is and what NAT configuration to suggest.
If I were to purely go on the information given THEN for your HQ coming from subnet 10.22.x.x/yy to subnet 10.45.x.0/19 you would have to configure NAT0 between these networks.
Essentially the configuration would look something like this
access-list INSIDE-NAT0 remark NAT0/NONAT for Branch to HQ traffic
access-list INSIDE-NAT0 permit ip 10.45.x.0 255.255.224.0 10.22.x.x y.y.y.y
nat (inside) 0 access-list INSIDE-NAT0
This should essentially enable hosts from 10.22.x.x/yy subnet to connect directly to subnet 10.45.x.0/19 on their original IP addresses as far as your PIX configurations are concerned.
- Jouni
07-11-2013 12:29 AM
Hi Jouni,
Thank for the configuration.
I have limited knowledge about firewalling.Sorry about that.
Can the PIX pass through traffic without filtered/drop at NAT portion.. its just like eg:-
10.22.x.x -->10.45.x.x
10.23.x.x -> 10.36.x.x
--idz
07-11-2013 01:18 AM
Hi,
It seems to me you have in your above configuration allowed ALL traffic through the PIX
The configuration I provided should enable connections through the PIX with regards to NAT between 10.22.x.x/yy and 10.45.x.0/19 subnets in either direction.
If the other Branch network needs the same type of rule then you would simply add another line to the ACL/access-list we created BUT you would use the other Branch network as the source
access-list INSIDE-NAT0 permit ip 10.36.0.0 255.255.0.0 10.22.x.x y.y.y.y
- Jouni
07-11-2013 01:41 AM
Hi,
Thanks Jouni..Really appreaciate your help.Will try it tommorow.
07-17-2013 01:58 AM
Hi Jouni,
Here is the latest packet-tracer.Seem stuck on newly created Nat 0.Any idea?
packet-tracer input Net tcp 103.245.x.x 443 10.45.x.51 443
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.45.160.0 255.255.224.0 inside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Net
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group permit-all in interface Net
access-list permit-all extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 0 access-list INSIDE-NAT0
nat-control
match ip inside any Net any
no translation group, implicit deny
policy_hits = 220178
Additional Information:
Result:
input-interface: Net
input-status: up
input-line-status: up
output-interface: Net
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-17-2013 02:02 AM
Hi,
You are testing with an IP address that you havent mentioned so far. Last you mentioned some 10.22.x.x/yy networks.
So I have no idea what you are trying to accomplish since the IP addresses you are using are changing in every post.
Its really hard to help with this since I dont know what you are actually trying to accomplish.
- Jouni
07-17-2013 02:55 AM
Hi Jouni,
Thank you for you patient.I am really sorry to troublesome you.
I have an email with Public IP of 103.245.xx.xx. This Ip is natted to our Private ip 10.45.160.51.
If i connected PIX the email cant be view.If I bypass PIX its ok.
Im trying to accomplish where our staff at outside can reach my OWA email.
Hope this can clear up up on what I want to accomplish.
07-17-2013 11:12 AM
Hi Jouni,
I manage to resolved this problem as you advice.Just a little tweak on the command you give and its works.Thank you for your great help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide