10-12-2009 04:58 AM - edited 02-21-2020 03:43 AM
Hi all,
I have a routing + NAT issue with my PIX 515 (v7.2.4).
Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.
here is my conf :
PIX Version 7.2(4)
!
interface Ethernet0
nameif outside
security-level 0
ip address Public_IP 255.255.255.248
ospf cost 10
!
interface Ethernet1
description Office LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
ospf cost 10
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface VoIP-inside
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 203.XXX.XXX.XXX 1
route inside 10.0.100.0 255.255.252.0 10.10.10.29 1
Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.
When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...
Thanks
Best Regards,
Laurent
10-12-2009 10:21 PM
Laurent,
can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?
Can you also include the packet-tracer output please.
tnx
Herbert
10-13-2009 02:10 AM
Hi,
I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.
Example :
Inside network : 10.10.10.0/24
PIX inside : 10.10.10.254
IP of my router in the inside network : 10.10.10.29
Subnetwork behind my router : 10.0.100.0/24
To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping google.com for example.
If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping google.com not working).
As i have ios v7.2.4, i follow this guide : http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3 but enabling intra-interface communication is not sufficient.
Regards,
Laurent
10-13-2009 02:24 AM
Hi,
If its feasible, add a static route for reaching 10.0.100.0 pointing towards 10.10.10.29, on each system on the subnet 10.10.10.0.
10-13-2009 02:35 AM
Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use 10.10.10.29 as your default gw, so the inside-to-inside traffic does not pass the firewall.
However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).
Otherwise, I guess you would need something like:
no global (inside) 1 interface
global (inside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 outside
If that does not help, could you please provide the packet-tracer output (from the CLI) ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide