Re: Please help (NAT issue)

antinea · ‎03-24-2003

Hello,

NAT seems does not working on my pix.

I verified n-times my config. No issue :(

Please can anyone verify my config and tell what's wrong ? and thanks in advance.

I have a DSL modem (Siemens) working as default router (x.x.16.17)

here's the config (x and y are the same everywhere in the script)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 7PmXr29jODRJ.eaI encrypted

passwd 7PmXr29jODRJ.eaI encrypted

hostname tita

domain-name any.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any

interface ethernet0 10baset

interface ethernet1 auto

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside x.y.16.18 255.255.255.248

ip address inside 192.168.22.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.22.5 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 x.y.16.19-x.y.16.21 netmask 255.255.255.248

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.y.16.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.22.5 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.22.5 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

username samir password .KnHwytEP2k92JAD encrypted privilege 15

terminal width 80

Cryptochecksum:abd0f7a4e9339ff5026a3c5c9234cfa1

mike-greene · ‎03-24-2003

Hi,

The only issue I may see is your global statement. You have a pool of IP's there but it's only like 6 addresses. So, after those six addresses are used no one else is going to get out. To fix that your going to have to put a PAT backup with one of your real address....something like this...

global (outside) 10 x.y.16.19

or

global (outside) 10 interface

Hope that helps...

antinea · ‎03-25-2003

Thank you all for you replies,

I'm sorry but this pix is making me crazy.

I added a PAT address in the global statement. No answer from any outside host, even the outside address.

I'm trying with only one host (192.168.22.5) my console.

The following may help you to help me:

- I'm quite sure my DSL modem is working fine, cause in the production site a router is instead of this pix and is working fine as a default route.

- I can ping all interfaces and hosts (inside and outside) from my pix.

- activating debugging as follows: debug icmp trace and logging buffered debugging i saw on my console everytime i ping to an external host the following:

(x.y.75.13 my isp's dns)

tita# 22: Outbound ICMP echo request (len 32 id 2 seq 20992) 192.168.22.5 > x.y.16.21 > x.y.75.13

23: Outbound ICMP echo request (len 32 id 2 seq 21248) 192.168.22.5 > x.y.16.21 > x.y.75.13

24: Outbound ICMP echo request (len 32 id 2 seq 21504) 192.168.22.5 > x.y.16.21 > x.y.75.13

25: Outbound ICMP echo request (len 32 id 2 seq 21760) 192.168.22.5 > x.y.16.21 > x.y.75.13

Thanks for the advise :)