PIX515 NATing VLAN ?

jmaurer1205 · ‎08-18-2010

I am have problems connecting to my webpage (NAT) after setting up VLANing of my network. I have a PIX515 that is connected to a 4507 switch. I have everything VLANed off at the 4507 and divided off into10.20.0.0 /20 subnets. 10.20.0.0 - 10.20.15.255 is the original network work that was first broken down and everyone was place there for the big division and everything was working fine. But now only 10.20.0.0 - 10.20.15.255 can connect. All the other subnets can get to the internet and do work as normal execpt get to the NAT.

I have a VLAN 10.10.10.0/24 that was running with the original VLAN and was able to connect to the NAT. When all the other subnets were unable to connect I tried to remove global (DMZ) 1 192.168.254.254 and replace with global (DMZ) 1 192.168.254.100 - 192.168.254.200 netmask 255.255.255.0. That did not work and blocked me from accessing NAT. I placed global (DMZ) 1 192.168.254.254 back in and I still am unable to connect from my own subnet. Again everything is working except NAT connections.

Is there something special I need to do since the VLAN router is behind the firewall? I have been working on this for several days and stumped.

Firewall route table

        outside 0.0.0.0 0.0.0.0 10.20.1.1 1 OTHER static
        inside 10.20.0.0 255.255.240.0 10.20.5.254 1 CONNECT static
        inside 10.20.0.0 255.255.0.0 10.20.2.1 1 OTHER static
        outside 10.20.1.0 255.255.255.0 10.20.1.2 1 CONNECT static
        inside 10.10.10.0 255.255.255.0 10.20.2.1 1 OTHER static
        DMZ 192.168.254.0 255.255.255.0 192.168.254.1 1 CONNECT static

ip address outside 10.20.1.2 255.255.255.0
ip address inside 10.20.5.254 255.255.240.0
ip address DMZ 192.168.254.1 255.255.255.0

global (outside) 1 10.20.2.2-10.20.2.254 netmask 255.255.255.0
global (outside) 1 10.20.3.2-10.20.3.254 netmask 255.255.255.0
global (outside) 1 10.20.4.2-10.20.4.254 netmask 255.255.255.0
global (outside) 1 10.20.5.2-10.20.5.254 netmask 255.255.255.0
global (outside) 1 interface
global (outside) 7 webmail
global (DMZ) 1 192.168.254.254
nat (inside) 7 exchange 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.254.0 255.255.255.0 0 0

4507 routes

Gateway of last resort is 10.20.5.254 to network 0.0.0.0

C    192.168.192.0/24 is directly connected, Vlan193
C    192.168.208.0/24 is directly connected, Vlan209
C    192.168.128.0/24 is directly connected, Vlan129
C    192.168.247.0/24 is directly connected, Vlan247
C    192.168.144.0/24 is directly connected, Vlan145
C    192.168.10.0/24 is directly connected, Vlan11
C    192.168.160.0/24 is directly connected, Vlan161
     10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
C       10.20.32.0/20 is directly connected, Vlan32
C       10.20.0.0/20 is directly connected, Vlan10
C       10.20.64.0/20 is directly connected, Vlan64
C       10.20.160.0/20 is directly connected, Vlan160
C       10.20.176.0/20 is directly connected, Vlan176
C       10.10.10.0/24 is directly connected, Vlan55
C       10.20.128.0/20 is directly connected, Vlan128
C       10.20.144.0/20 is directly connected, Vlan144
C       10.20.192.0/20 is directly connected, Vlan192
C       10.20.208.0/20 is directly connected, Vlan208
C    192.168.34.0/24 is directly connected, Vlan1
C    192.168.32.0/24 is directly connected, Vlan33
     192.168.252.0/30 is subnetted, 1 subnets
C       192.168.252.4 is directly connected, FastEthernet5/48
S*   0.0.0.0/0 [1/0] via 10.20.5.254

192.168.x.x/24 are the network management devices.

Yudong Wu · ‎08-18-2010

Can you provide the full configuation from both PIX and Switch?

What version your PIX is running?

When you were failed to connect to web server in DMZ network from inside, what log message did you see?