cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
0
Helpful
1
Replies

PIX Outside NAT and Overlapping networks - one more BUG

ovt
Level 4
Level 4

Hi!

I have simple test network with overlapping address spaces and want to solve the problem with PIX NAT on a single PIX firewall.

PIX inside = 192.168.1.0/24

PIX outside = 172.16.1.0/24

and the config is:

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

static (inside,outside) 172.16.1.10 192.168.1.4 netmask 255.255.255.255

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

route outside 192.168.1.112 255.255.255.255 172.16.1.2

(^^^see my previous post on this route.)

The overlapping network 192.168.1.0/24 is behind a router 172.16.1.2.

Now I'm trying to ping a host on the overlapping network by its name from the inside network. The DNS server is on the outside and has RR: "target IN A 192.168.1.112". Note the "dns" option in the static:

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

ping target

The result is surprising:

305009: Built static translation from inside:192.168.1.4 to outside:172.16.1.10

302015: Built outbound UDP connection 48 for outside:172.16.1.254/53 (172.16.1.254/53) to inside:192.168.1.4/50413 (172.16.1.10/50413)

302016: Teardown UDP connection 48 for outside:172.16.1.254/53 to inside:192.168.1.4/50413 duration 0:00:01 bytes 127

305006: Dst IP is network/broadcast IP, translation creation failed for icmp src inside:192.168.1.4 dst outside:192.168.2.0 (type 8, code 0)

Hmm... What is it?

show hosts (on a client 192.168.1.4):

target.trn ... IP 192.168.2.0

Surprise! The DNS payload translation works, but PIX allocates Net address from the static pool (ignores the netmask)!

AGAIN: IS THIS A JOKE OF PIX DEVELOPERS, OR WHAT???

The question: how to solve this problem?

Regards,

Oleg Tipisov,

CCSI

REDCENTER,

Moscow

1 Reply 1

ovt
Level 4
Level 4

Hi!

No, it isn't a joke, but the "dns" functionality in static is broken:

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

Use

alias (inside) 192.168.2.0 192.168.1.0 255.255.255.0

instead. It works fine with and without IPSec. DNS A RRs in DNS replays are translated from 1.x to 2.x when the packet goes from outside to inside. It allows real single-side solution for overlapping networks and access to overlapping network resources via DNS names.

Regards,

Oleg Tipisov,

CCSI

REDCENTER,

Moscow

Review Cisco Networking for a $25 gift card