08-26-2003 06:16 AM - edited 02-20-2020 10:57 PM
Hi!
I have simple test network with overlapping address spaces and want to solve the problem with PIX NAT on a single PIX firewall.
PIX inside = 192.168.1.0/24
PIX outside = 172.16.1.0/24
and the config is:
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) 172.16.1.10 192.168.1.4 netmask 255.255.255.255
static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0
route outside 192.168.1.112 255.255.255.255 172.16.1.2
(^^^see my previous post on this route.)
The overlapping network 192.168.1.0/24 is behind a router 172.16.1.2.
Now I'm trying to ping a host on the overlapping network by its name from the inside network. The DNS server is on the outside and has RR: "target IN A 192.168.1.112". Note the "dns" option in the static:
static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0
ping target
The result is surprising:
305009: Built static translation from inside:192.168.1.4 to outside:172.16.1.10
302015: Built outbound UDP connection 48 for outside:172.16.1.254/53 (172.16.1.254/53) to inside:192.168.1.4/50413 (172.16.1.10/50413)
302016: Teardown UDP connection 48 for outside:172.16.1.254/53 to inside:192.168.1.4/50413 duration 0:00:01 bytes 127
305006: Dst IP is network/broadcast IP, translation creation failed for icmp src inside:192.168.1.4 dst outside:192.168.2.0 (type 8, code 0)
Hmm... What is it?
show hosts (on a client 192.168.1.4):
target.trn ... IP 192.168.2.0
Surprise! The DNS payload translation works, but PIX allocates Net address from the static pool (ignores the netmask)!
AGAIN: IS THIS A JOKE OF PIX DEVELOPERS, OR WHAT???
The question: how to solve this problem?
Regards,
Oleg Tipisov,
CCSI
REDCENTER,
Moscow
08-27-2003 02:04 AM
Hi!
No, it isn't a joke, but the "dns" functionality in static is broken:
static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0
Use
alias (inside) 192.168.2.0 192.168.1.0 255.255.255.0
instead. It works fine with and without IPSec. DNS A RRs in DNS replays are translated from 1.x to 2.x when the packet goes from outside to inside. It allows real single-side solution for overlapping networks and access to overlapping network resources via DNS names.
Regards,
Oleg Tipisov,
CCSI
REDCENTER,
Moscow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide