04-09-2007 04:13 AM - edited 03-11-2019 02:57 AM
i have next config for pix515e-
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 branches security50
global (outside) 2 interface
nat (inside) 0 access-list vpn_outside_1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (branches) 2 10.20.18.0 255.255.255.0 0 0
i tryed to ping public address from network 10.20.18.0 and i see not NATed packets at the outside interface-
--------- PACKET ---------
-- IP --
10.20.18.3 ==> 1.1.119.28
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64
id = 0x239 flags = 0x0 frag off=0x0
ttl = 0xfb proto=0x1 chksum = 0x547b
-- ICMP --
type = 0x8 code = 0x0 checksum=0x2f9e
identifier = 0x22 seq = 0x1
-- DATA --
00000010: 00 00 00 00 | ....
00000020: 5c 33 f2 55 ab cd ab cd ab cd ab cd ab cd ab cd | \3.U............
00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000060: ab cd ab cd 03 | .....
--------- END OF PACKET ---------
when i do the same from PIX - it's ok-
--------- PACKET ---------
-- IP --
Public_address_VPNgate ==> 1.1.119.28
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c
id = 0xa407 flags = 0x0 frag off=0x0
ttl = 0xff proto=0x1 chksum = 0x8629
-- ICMP --
type = 0x8 code = 0x0 checksum=0xf5d8
identifier = 0x1124 seq = 0x2
-- DATA --
00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............
00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................
00000038: 1c 1d 1e 1f 18 | .....
--------- END OF PACKET ---------
where is a problem?
04-09-2007 08:43 PM
Hi,
Did you add the access list in order to permit the incoming ICMP traffic on the outside interface? If you can ping from the PIX that means it has connectivity so one of the first things one needs to check is the ACL. Please add the following:
access-list inbound permit icmp any any
access-group inbound in interface outside
If you already added it, please let me know so we can continue with the troubleshooting
Hope it helps,
Franco Zamora
04-09-2007 10:29 PM
Hi!
yes,i've ACL.
i think the problem is that packets goes from outside interface with private source (which is certainly is not routed in public internet :) ).
Seems they don't NATed - maybe here problem?
04-10-2007 06:54 AM
Could you please add your config to the conversation so I can check it out.
Franco
04-11-2007 01:19 AM
04-11-2007 04:03 AM
Take out...
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Save with: write mem and also issue: clear xlate
04-11-2007 04:21 AM
i've it already
04-11-2007 09:58 AM
try the following:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
clear xlate
04-11-2007 09:40 PM
i've done it.
same problem.
from network 10.20.18.0/24-
debug packet outside dst A.177.119.28 netmask 255.255.255.255
ping from network 10.20.18.0/24
-- IP --
10.20.18.3 ==> A.177.119.28
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64
id = 0x2aa flags = 0x0 frag off=0x0
ttl = 0xfb proto=0x1 chksum = 0x540a
-- ICMP --
type = 0x8 code = 0x0 checksum=0x41e9
identifier = 0x25 seq = 0x8
-- DATA --
00000010: 00 00 00 00 | ....
00000020: 6a 3d d1 f6 ab cd ab cd ab cd ab cd ab cd ab cd | j=..............
00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................
00000060: ab cd ab cd 6e | ....n
--------- END OF PACKET ---------
ping from PIX-
PIX2# ping A.177.119.28
--------- PACKET ---------
-- IP --
VPNgate (ip address of outside interface) ==> A.177.119.28
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c
id = 0x642d flags = 0x0 frag off=0x0
ttl = 0xff proto=0x1 chksum = 0xc603
-- ICMP --
type = 0x8 code = 0x0 checksum=0xf5da
identifier = 0x1124 seq = 0x0
-- DATA --
00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............
00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................
00000038: 1c 1d 1e 1f 59 | ....Y
--------- END OF PACKET ---------
but i want to say that packets from network 10.20.18.0/24 comes to interface branches, not inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide