Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
6
Replies

Nat to Static on outside not workin

koaps
Level 1
Level 1

‎09-19-2003 12:38 AM - edited ‎03-09-2019 04:51 AM

I'm trying to set up my PIX so that the traffic from the inside goes to the outside interface(being Pnat'd in the process) then connects to a statically mapped outside IP to a DMZ internal IP.

Like,

192.168.1.0(Inside network) -> 10.0.0.250(outside pat address)

10.0.0.10(static outside) -> 192.168.0.10(dmz internal address)

I can't seem to access 10.0.0.10 from 10.0.0.250. If I put my laptop into 10.0.0.0 I can access 10.0.0.10 fine(all my access list rules in the outside interface seem to be working fine)

I know this seems weird since normally you would just let the ASA do it's thing and make global address's in the dmz, but for our networking needs we need setup the traffic like I purposed.

Any help would be grately appreciated.

Labels:
0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎09-19-2003 12:52 AM

Hi Chris -

Have got any syslog messages that you can provide when you try to build a connections from 10.0.0.250 to 10.0.0.10 please.

For logging do:

logging on

logging buffer debug

Try a connection, then do command 'sh logg' and post the results please.

Thanks - Jay.

0 Helpful

p.dubicki
Level 1
Level 1
In response to jmia

‎09-19-2003 04:01 AM

I have same problem, logging to syslog logg trap debug shows NOTHING !!!!

pd

0 Helpful

mostiguy
Level 6
Level 6

‎09-19-2003 04:41 AM

I don't think that will work - traffic won't go from the inside, to the outside, and then to the DMZ. Traffic cannot leave and reenter the pix outside interface.

You probably need to have the inside clients more directly access the DMZ

0 Helpful

bill.james
Level 1
Level 1
In response to mostiguy

‎09-21-2003 08:29 AM

In my limited learning experience, you do seem to be able to bounce packets off the outside interface. The exception appears to be if you try to contact yourself, when you get a 'Land Attack' denial. It's not clear why even that should happen, as the docs say the source and dest addresses and ports should match for that, and that doesn't happen often!!

0 Helpful

bill.james
Level 1
Level 1
In response to bill.james

‎09-21-2003 11:32 AM

OK, I -really- do have limited experience!! There is a chance that a router outside of my PIX is bouncing my packets back to my PIX, but I haven't managed to trace the route yet.

My comment about 'Land Attack' stands, however.

William

0 Helpful

koaps
Level 1
Level 1

‎09-21-2003 06:33 PM

This should work, there shouldn't be any reason why it doesn't outside of a config issue.

The inside goes to the outside being Pnatd in the process. Once in the outside network it should be able to access a static map that goes into the DMZ.

I'm accessing the DMZ via the servers Public outside address from an outside Pnat address.

So as I can see it, there should be no reason this doesn't work.

unless the PIX has an issue with the Pnat engine talking to the static one. the only other thing I can think of is a special access-list applied to the dmz or inside interface to allow the return traffic.

0 Helpful
Customers Also Viewed These Support Documents