03-05-2007 06:26 AM - edited 03-11-2019 02:41 AM
Hi.
I've configured a one-to-one static NAT on pix 506E ,the design looks like this:internet-->cisco1841-->pix506E , the 1841 lan interface has 4 segment public networks, the pix wan interface used one of these segments, I config an static nat on the pix as: static (inside,outside) 2.75.15.227 192.10.7.88 netmask 255.255.255.255 , if the public address belong to the pix wan interface segment,the static NAT well, if the public address not belong to the pix wan interface segment,the static NAT can't use, the local machine that have the real ip can't access internet, but from internet can ping the mapped public address
1841 config as :
Router#show run
Building configuration...
version 12.4
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
username cisco privilege 15 secret xxx
!
!
!
interface FastEthernet0/0
ip address 169.x.64.x.255.255.252
speed 10
full-duplex
!
interface FastEthernet0/1
ip address 2.170.x.x.255.255.248 secondary
ip address 2.235.x.x.255.255.248 secondary
ip address 2.75.x.x.255.255.248 secondary
ip address 2.75.x.x.255.255.240
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 169.254.64.25
ip route 2.75.x.x.255.255.255 FastEthernet0/1
ip route 2.75.x.x.255.255.255 FastEthernet0/1
ip route 2.235.x.x.255.255.255 FastEthernet0/1
ip route 2.235.x.x.255.255.255 FastEthernet0/1
!
ip http server
ip http timeout-policy idle 60 life 86400 requests 10000
!
control-plane
-----------------------------------------
pix config :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx
......
names
access-list 110 permit ip any any
access-list 110 permit tcp any any
access-list 111 deny ip 192.10.7.0 255.255.255.0 2.170.130.16 255.255.255.248
access-list 111 deny ip 192.10.7.0 255.255.255.0 2.75.15.224 255.255.255.240
access-list 111 deny ip 192.10.7.0 255.255.255.0 2.75.18.96 255.255.255.248
access-list 111 deny ip 192.10.7.0 255.255.255.0 2.235.57.8 255.255.255.248
access-list 111 permit ip any any
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 2.75.x.x.255.255.0
ip address inside 192.10.7.254 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list 111 0 0
alias (inside) 192.10.7.246 2.75.15.230 255.255.255.255
alias (inside) 192.10.7.8 2.75.15.228 255.255.255.255
static (inside,outside) 2.x.130.18 192.10.7.207 netmask 255.255.255.255 0 0
static (inside,outside) 2.170.130.20 192.10.7.208 netmask 255.255.255.255 0 0
static (inside,outside) 2.170.130.21 192.10.7.206 netmask 255.255.255.255 0 0
static (inside,outside) 2.75.15.227 192.10.7.88 netmask 255.255.255.255 0 0
#----------------------this command can't work,if change the mapped public address to 2.75.18.99,then OK
static (inside,outside) 2.75.15.228 192.10.7.8 netmask 255.255.255.255 0 0
static (inside,outside) 2.75.15.229 192.10.7.7 netmask 255.255.255.255 0 0
static (inside,outside) 2.75.15.230 192.10.7.246 netmask 255.255.255.255 0 0
access-group 110 in interface outside
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 2.75.18.98 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
: end
03-05-2007 03:45 PM
If you are able to ping the public ip from the Internet, then the Internet access for the host shud also work.
Could be a DNS issue. Try pinging 4.2.2.2 from the host .
-Kanishka
03-06-2007 07:54 AM
When I am ping 4.2.2.2 it also time out,
I've asked cisco engineer at cisco PHO website ,He told me the mapped ip address must belong to the same segment with it's wan interface ip address
03-06-2007 08:22 AM
Its not necessary. If your mapped IP address is not in the same subnet as the outside network, all you neeed is a "route" on the outside router, routing traffic for the mapped IP/network to the outside interface IP of PIX. If that is in place, you need to make sure that-
- the mapped IP address is not in use any where else.
- clear the ARP cache on the outside router.
- try pinging the mapped IP address from the router with ICMP debugs enabled on PIX. This will show if router is routing the packets correctly.
- verify with your ISP that the mapped IP addresses are registered for use by you and are routable accordingly.
Regards,
Vibhor.
03-07-2007 01:53 AM
the pix's neighbor is the cisco 1841 ,it's has four subnet, the one of them in the same subnet as the pix mapped ip address ,so I think the "route" is not necessary.
So the reason is the remain other, the error is not related with pix and router config, is it ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide