02-09-2007 08:24 AM - edited 03-11-2019 02:31 AM
I have a PIX 525E with IOS 6.3.
We've just recently installed a point-to-point T1 that is terminated with 2 Cisco 2610XM routers with VWIC-1MFT-T1 cards (IOS = 12.2).
The two networks at the remote end of the T1 connection can access all resources at the other end (corporate networks) with no problem. Remote nodes can even ping the inside interface of the PIX.
I have a nat (inside) 1 0.0.0.0 0.0.0.0 statement on the PIX to translate everything from the inside networks.
The problem is that the PIX is not applying NAT to the two new networks at the remote end of the T1.
Oddly enough, we have a 100Mb Native LAN WAN link to anoter remote office and I'm using the same logic there and it works just fine.
Anybody see this before and what did you do to fix it?
Thanks.
02-09-2007 04:53 PM
looks like following scenario:
internet--PIX-corp net-router(two networks)
does the router has the default gateway pointing to PIX inside interface IP? If the traffic from the two remote networks is directed towards PIX, and there is no access-list on the inside network blocking the two remote networks, there shouldnt be any issue with creation of translation.
02-12-2007 05:10 AM
The physical layout is:
Internet Router -> Pix -> Internal Core Router -> Router to Remote Networks.
There is no access-list that would block Internet traffic from the remote networks and the PIX is aware of the two remote networks.
The router connected to the corporate network uses the Internal Core Router as the default gateway.
Thanks again.
02-12-2007 11:37 AM
Internet Router
---------------
|
|
---------
PIX
---------
|
Corp. Router
|
Nw1------Remote Router------NW2
Assuming that gateway of remote router is the Corp. Router, and gateway of Corp. Router is PIX inside interface, if hosts from NW1 & NW2 send internet request, it should reach the PIX. Are there any logs/syslogs which show that traffic is reaching PIX and translation is failing?
02-12-2007 11:47 AM
Hi
If you run a debug on the inside interface of the pix can you see packets coming from the remote networks.
Is this the only NAT statement you have on your Pix firewall ?
Jon
02-12-2007 11:54 AM
No entries in the syslog about NAT failure.
There aren't even any entries for "IP_ADDRESS accessed URL ..." but I know that the routing is working correctly because a host at the remote site can ping the inside interface of the pix and vice-versa. However, users in the remote networks cannot ping the Pix's DG (internet router) but all users on the corporate networks can.
There are three NAT statements on the firewall:
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list ACL1
nat (dmz) 0 access-list ACL2
Additionally, users in the affected remote networks are able to access resources in the DMZ so NAT'ing is working there as expected.
02-12-2007 12:09 PM
Could you give the output of these commands-
show ip
show route
show access-list
show access-group
show nat
show global
02-13-2007 05:47 AM
I found the problem while double checking the access-lists.
Typically I don't setup "any" rules but I was pressed for time on this project and took the quick and easy way out and created a NoNat access-list entry for the two new networks with a destination of "any" instead of specific network they need to get to through a VPN connection.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide