11-09-2010 01:23 AM - edited 03-11-2019 12:06 PM
Hello,
I am using a PIX on our test network and I'm trying to get devices on interface "DMZ4_Wireless_PDA" (Ip range 172.25.1.x/24) to communicate with x.x.156.78 which NAT's to a server on the inside interface on 192.168.200.200. Attached is my config but I can't get it to work. The 172.25.1.x range needs to communicate on various ports especially ICMP.
Thanks in advance for your time
11-09-2010 01:48 AM
There seems to be overlapped with ip address x.x.156.78 on the following:
global (inside) 1 x.x.156.78
nat (outside) 1 192.168.201.0 255.255.255.0
static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255
Do you have a need for the nat/global pair?
Also, do you need to ping the public ip address (x.x.156.78) instead of the private ip address (192.168.200.200)? or it doesn't really matter which ip address you ping as long as it's testing the actual server connectivity.
To ping, you would also need to configure inspection for icmp:
policy-map global_policy
class inspection_default
inspect icmp
11-09-2010 02:27 AM
Hi,
My Pix/ASA knowledge is a bit rusty, but all I need is all the devices on 172.25.1.x/24 to contact x.x.156.78 which is a server on the inside (192.168.200.200). I'm not sure what ot why the global statement is there, what does that do?
x.x156.78 is a public IP, but for the scenario it is a server on the inside and yes I need to ping x.x156.78.
I hope that's a little clearer as my explanation wasn't the best.
Thanks
11-09-2010 02:41 AM
As far as the NAT statement is concern, you only need the following line:
static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255
The nat/global pair as far as I understand does not serve any purpose, and it would be best to remove them as it overlaps with the static NAT statement above:
no global (inside) 1 x.x.156.78
no nat (outside) 1 192.168.201.0 255.255.255.0
Please "clear xlate" after the changes, and also add "inspect icmp" as advised earlier.
11-09-2010 02:42 AM
And also you need to enable proxyarp for DMZ4_Wireless_PDA interface:
no sysopt noproxyarp DMZ4_Wireless_PDA
11-09-2010 08:29 AM
I believe I have changed the config to match what you said, but I still can't connect to x.x.156.78. I have configured my laptop to 172.5.1.10/24 and added me to the DMZ4_Wireless_PDA interface and tried to ping x.x.156.78 (192.168.200.200) and it fails.
I logged on the ASDM and did an packet trace from 172.25.1.10 to x.x.156.78 using echo-reply and it failed on the NAT-Exempt.
Any ideas what I might be doing wrong? Let me know if you need a fresh config.
Thanks
11-10-2010 02:40 AM
Yes, packet tracer is right.
NAT exemption takes precedence over Static NAT, hence it's failing the static NAT.
The following NAT exemption configuration:
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.201.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.25.1.0 255.255.255.0
For testing purposes, I would take out that red line of ACL, "clear xlate", and test it. This should work now.
Then you can configure the following ACL instead to bypass 192.168.200.200 from being exempted:
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.128 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.128 255.255.255.192 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.192 255.255.255.248 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.200.201 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.200.202 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.200.203 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.204 255.255.255.252 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.208 255.255.255.240 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.224 255.255.255.224 172.25.1.0 255.255.255.0
11-10-2010 02:26 AM
Hello,
Would a fresh config help at all? I can't think why I would need a NAT exempt rule in place can you?
11-09-2010 01:50 AM
Hi Andy ,
By default PIX need to NAT flows from higher security level ( inside 100 ) to lower security level ( DMZ4_Wireless_PDA 20 ).
So the solutions are :
1. configure nat of the inside host to DMZ4 segment
static (inside,DMZ4_Wireless_PDA) 172.25.1.200 192.168.200.200
Allow on the access-list :
access-list DMZ4_Wireless_PDA_access_in permit icmp 172.25.1.0 255.255.255.0 host 172.25.1.200
2. disable this behaviod
no nat-control
Then your configured access-list will work:
access-list DMZ4_Wireless_PDA_access_in extended permit udp 172.25.1.0 255.255.255.0 host 192.168.200.2 eq domain
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide