cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
0
Helpful
4
Replies

PIX 515 : routing issue + NAT

IT-Volubill
Level 1
Level 1

Hi all,

I have a routing + NAT issue with my PIX 515 (v7.2.4).

Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.

here is my conf :

PIX Version 7.2(4)

!

interface Ethernet0

nameif outside

security-level 0

ip address Public_IP 255.255.255.248

ospf cost 10

!

interface Ethernet1

description Office LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.10.254 255.255.255.0

ospf cost 10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface VoIP-inside

ip verify reverse-path interface DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

icmp permit any inside

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 203.XXX.XXX.XXX 1

route inside 10.0.100.0 255.255.252.0 10.10.10.29 1

Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.

When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...

Thanks

Best Regards,

Laurent

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

Laurent,

can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?

Can you also include the packet-tracer output please.

tnx

Herbert

Hi,

I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.

Example :

Inside network : 10.10.10.0/24

PIX inside : 10.10.10.254

IP of my router in the inside network : 10.10.10.29

Subnetwork behind my router : 10.0.100.0/24

To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping google.com for example.

If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping google.com not working).

As i have ios v7.2.4, i follow this guide : http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3 but enabling intra-interface communication is not sufficient.

Regards,

Laurent

Hi,

If its feasible, add a static route for reaching 10.0.100.0 pointing towards 10.10.10.29, on each system on the subnet 10.10.10.0.

Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use 10.10.10.29 as your default gw, so the inside-to-inside traffic does not pass the firewall.

However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).

Otherwise, I guess you would need something like:

no global (inside) 1 interface

global (inside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 outside

If that does not help, could you please provide the packet-tracer output (from the CLI) ?

Review Cisco Networking for a $25 gift card