06-03-2010 03:45 PM - edited 03-11-2019 10:54 AM
Hi,
I'm confident that I'm missing a major concept here for which I'd need a bit of assistance with.
The setup I'm playing with is as simple than the below:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 AP security50
nameif ethernet1 inside security100
[AP] - [PIX] - [INSIDE and router toward the internet]
I'm trying to use a NAT between those two legs but I'm failing miserably and the cisco scenarios samples [1] don't help me much (assuming I have read that correctly).
Each interface has been attributed its IP.
ip address AP 10.0.0.251 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0
And for the sake of simplicity, I have allowed traffic in both ways (test done from lower sec level to higher) to focus on my NAT issue for now.
access-list inside_access_in permit ip any any
access-list AP_access_in permit ip any any
access-group AP_access_in in interface AP
access-group inside_access_in in interface inside
I have defined a default route and the following two nats,
global (AP) 2 interface
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
nat (inside) 2 192.168.1.0 255.255.255.0 0 0
route inside 0.0.0.0 0.0.0.0 192.168.1.1 1
Now, as I understand this,
- traffic coming from 10.0.0.0/24 will get translated to 192.168.1.20-50/24
- traffic coming from 192.168.1.0/24 will get translated to 10.0.0.251 (PAT).
This, looking good (I thought:/) was ready to be tested
name 192.168.1.70 HOSTB
name 10.0.0.1 HOSTA
A ping from HOSTA to HOSTB doesn't go through.
root@HOSTA:~# ping 192.168.1.70
PING 192.168.1.70 (192.168.1.70): 56 data bytes
--- 192.168.1.70 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
Tcpdump on the inside side of the firewall see nothing leaving. So, enabling some logging I get the following on the PIX :
%PIX-6-609001: Built local-host AP:10.0.0.1
%PIX-6-305009: Built dynamic translation from AP:10.0.0.1 to inside:192.168.1.20
%PIX-3-305005: No translation group found for icmp src AP:HOSTA dst inside:HOSTB (type 8, code 0)
Huh. On that, cisco says [2] :
Error Message %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port
Explanation A packet does not match any of the outbound nat rules.
Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.
My NAT command does matches the source IP address.
As in, 10.0.0.1 is included in 10.0.0.0/24 - which is also why I get the built dynamic translation message I suppose.
Anyway, that's where I understand that I am surely missing a concept here. Could you please shed some light on those basics for me?
Ta.
Pixbee
[1] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml
[2] http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html
06-04-2010 03:11 AM
you are using only dynamic translations (both inside-nat and outside-nat), which is not a good NAT design if you actually want to establish connections. The PIX needs an active inside-global address in the XLATE-table to accept inbound connections. Your inside-local addresses are translated dynamically to a PATted inside-global. This does not establish a global address nor does it allow inbound connections.
Use statics if you want inbound sessions/connections. I'm not sure whether you version (which is end of support?) supports port statics, which you need for a PAT-environment.
06-06-2010 03:24 PM
Hi,
Thanks for the note.
The PIX needs an active inside-global address in the XLATE-table to accept inbound connections. Your inside-local addresses are translated dynamically to a PATted inside-global. This does not establish a global address nor does it allow inbound connections.
Use statics if you want inbound sessions/connections. I'm not sure whether you version (which is end of support?) supports port statics, which you need for a PAT-environment.
I'm not sure to fully understand that yet (sry for that).
As I understand, outbound connections from "AP" to "Inside" will have a AP global address in the XLATE-table.
Anything AP local addresses (10.x /24) get translated to the AP global addresses (which is the pool in 192.x/24).
If I attempt a ping from a device in "AP" to an address in "Inside", a look at the show xlate gives :
ERZILIE# show xlate
1 in use, 1 most used
Global 192.168.1.21 Local GANGAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide