03-24-2003 09:25 AM - edited 03-09-2019 02:38 AM
Hello,
NAT seems does not working on my pix.
I verified n-times my config. No issue :(
Please can anyone verify my config and tell what's wrong ? and thanks in advance.
I have a DSL modem (Siemens) working as default router (x.x.16.17)
here's the config (x and y are the same everywhere in the script)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 7PmXr29jODRJ.eaI encrypted
passwd 7PmXr29jODRJ.eaI encrypted
hostname tita
domain-name any.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
interface ethernet0 10baset
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.y.16.18 255.255.255.248
ip address inside 192.168.22.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.22.5 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 x.y.16.19-x.y.16.21 netmask 255.255.255.248
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.y.16.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.22.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.22.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
username samir password .KnHwytEP2k92JAD encrypted privilege 15
terminal width 80
Cryptochecksum:abd0f7a4e9339ff5026a3c5c9234cfa1
03-24-2003 02:24 PM
Hi,
The only issue I may see is your global statement. You have a pool of IP's there but it's only like 6 addresses. So, after those six addresses are used no one else is going to get out. To fix that your going to have to put a PAT backup with one of your real address....something like this...
global (outside) 10 x.y.16.19
or
global (outside) 10 interface
Hope that helps...
03-25-2003 11:42 AM
Thank you all for you replies,
I'm sorry but this pix is making me crazy.
I added a PAT address in the global statement. No answer from any outside host, even the outside address.
I'm trying with only one host (192.168.22.5) my console.
The following may help you to help me:
- I'm quite sure my DSL modem is working fine, cause in the production site a router is instead of this pix and is working fine as a default route.
- I can ping all interfaces and hosts (inside and outside) from my pix.
- activating debugging as follows: debug icmp trace and logging buffered debugging i saw on my console everytime i ping to an external host the following:
(x.y.75.13 my isp's dns)
tita# 22: Outbound ICMP echo request (len 32 id 2 seq 20992) 192.168.22.5 > x.y.16.21 > x.y.75.13
23: Outbound ICMP echo request (len 32 id 2 seq 21248) 192.168.22.5 > x.y.16.21 > x.y.75.13
24: Outbound ICMP echo request (len 32 id 2 seq 21504) 192.168.22.5 > x.y.16.21 > x.y.75.13
25: Outbound ICMP echo request (len 32 id 2 seq 21760) 192.168.22.5 > x.y.16.21 > x.y.75.13
Thanks for the advise :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: