Re: PIX 6.3.5 and NAT Fedora Core 4

sahong · ‎11-13-2005

Hi,

We are trying to NAT a new linux box (running Fedora Relase 4) and getting odd results. We cannot access the box via NAT unless our source address is one from the same network as outside interface. We thought at was a problem with SElinux and built in firewall, but we reinstalled the software with both disabled and the problem got worse. You have to be on the same subnet as the outside interface and he only accoiunt that works is "root". I realize this dies not sound like a PIX issue, but any insight would help.

TIA,

Sam

sahong · ‎11-13-2005

Sorry about all the typos.

jackko · ‎11-13-2005

internet <--> pix <--> linux

assuming the simplified topology is accurate, and the issue is that no inbound access to the linux box.

firstly, compare the current pix config with the sample below:

static (inside,outside) tcp interface netmask 255.255.255.255

access-list inbound permit any interface outside eq

access-group inbound in interface outside; or

static (inside,outside) netmask 255.255.255.255

access-list inbound permit any host eq

access-group inbound in interface outside

to verify the nat, do "sh xlate | in ".

to verify the acl, do "sh access-l inbound".

sahong · ‎11-18-2005

Thanks, found the problem to be a problem on the ISP choke router.

jackko · ‎11-18-2005

it's good to learn that your issue has been resolved. please feel free to discuss any other issue you've got.