Re: Nat from outside to inside PIX 515-E - 6.3(4)

romainpage · ‎07-11-2006

Hi,

I am pretty new with PIX (version 6.3) and I am trying from my PC in outside (192.168.0.2) to ping the inside interface (10.35.121.98) or any host in the inside.

Here is my configuration, I do not understand why it is not working.

- I authorized icmp on both interface

- I put an access-list on the outside interface.

- I created a static translation between outside and inside interface.

: Written by enable_15 at 10:38:55.840 UTC Tue Jul 11 2006

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pix

domain-name goeland.intra

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permitall permit icmp 192.168.0.0 255.255.0.0 10.35.0.0 255.255.0.0

access-list 101 permit icmp host 192.168.0.2 host 10.35.121.98

pager lines 24

logging on

logging trap debugging

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.1 255.255.255.0

ip address inside 10.35.121.98 255.255.255.128

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.0.2 10.35.121.100 netmask 255.255.255.255 0 0

access-group permitall in interface outside

route inside 10.35.0.0 255.255.0.0 10.35.121.98 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.35.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

My PC gateway is 192.168.0.1 and I never see a hitcount on access list permitall but I see the icmp packet exit my PC. From the PIx, I can ping muy PC (connected with the console).

Thanks for your help.

Best regards,

Romain

froggy3132000 · ‎07-11-2006

From your PC can you ping 10.35.121.100? That is what your static translation is setup for.

romainpage · ‎07-11-2006

Hi,

I cannot ping this adress.

I also tried to translate to 10.35.121.98 => Not OK

With ethereal, when pinging 10.35.121.98, I see the ping exit from 192.168.0.2 but nothing occurs on the PIX (I activated "debug icmp trace" and "debug packet outside"). When pinging 192.168.0.1 from 192.168.0.2, the ping is OK.

I can ping the 192.168.0.2 from the PIX (console connection).

Best regards,

Romain

fred.s.mollenkopf · ‎07-11-2006

Your static command is actually translating 10.35.121.98 to 192.168.0.2. I don't believe this is what you are trying to do. If you want to have your outside source appear as a different IP follow the NAT Outside documentation. Attached below.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113519

Ultimately what you are trying to do is allow internal addresses be access by an external. What you should use is a Policy NAT 0 with an access-list. This will avoid the Xlate requirement for your outside host but still have Xlates for other apps.

Here is a sample configuration (I have something similar in production).

access-list Outside_Host permit ip host 10.35.121.98 host 192.168.0.2

! next statement is more general but you could make it more subnet specific

access-list Outside_Host permit ip any host 192.168.0.2

nat (inside) 0 access-list Outside_Host

Please rate any helpful posts

Thanks

Fred

Fernando_Meza · ‎07-13-2006

Hi .. your static sentence ...

static (inside,outside) 192.168.0.2 10.35.121.100 netmask 255.255.255.255 0 0

is making 10.35.121.100 appearing as 192.168.0.2 to the outside network. So if you want to reach to the inside device from the outside network you have to ping 192.168.0.2 the destination will be redirected ( NATed) by the PIX to 10.35.121.100 .. Is this what you are trying to achieve ..? or do you want to be able to reach 10.35.121.100 directly ( Without NATing ) ..?

If you want to reach 10.35.121.100 directly then you need to bypass NAT ..

nat (inside) 0 access-list NO_NAT

nat (outside) 0 access-list NO_NAT outside

acccess-list NO_NAT permit icmp 192.168.0.0 255.255.0.0 10.35.0.0 255.255.0.0

acccess-list NO_NAT permit icmp 10.35.0.0 255.255.0.0 192.168.0.0 255.255.0.0

I hope it helps .. Please rate if it does !!!

fred.s.mollenkopf · ‎07-14-2006

Fernando picked up on my mistake, he's right on your current NAT statement, it's doing .100 not .98. Typo on my part. They did add the outside command in 6.3 but I've found that outside inside works with just the standard NAT 0 command using an access-list with destination subnet. I have had this working in production before the outside command was released. Either configuration should work for you. Fernando's configuration would have more validity with the TAC.

Thanks

Fred