Solved: PIX 515 NAT issue

williamtwomey · ‎09-29-2012

Running 7.x

I'm trying to set up NAT overloading (so all inside hosts can access the internet through one public IP) and also PAT entries for other public IP addresses.

PAT is working fine, but NAT is not. Was hoping someone could point me in the right direction.

Thanks

[code]

PIX Version 7.1(2)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password <snip> encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 1.1.1.58 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.254 255.255.255.0

!

access-list acl_outbound extended permit tcp any any

access-list acl_outbound extended permit ip any any

access-list acl_outbound extended permit udp any any

access-list acl_outbound extended permit icmp any any

access-list 101 extended permit icmp any any

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any any

access-list 101 extended permit udp any any

access-list INPUT_ACL extended permit ip any any

access-list INPUT_ACL extended permit icmp any any

access-list INPUT_ACL extended permit tcp any any

access-list acl_grp extended permit icmp any any

access-list OUTPUT_ACL extended permit ip any any

icmp permit any outside

icmp permit any inside

arp timeout 14400

global (outside) 1 interface

global (outside) 2 1.1.1.61

nat (inside) 2 10.0.0.102 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 1.1.1.58 www 10.0.0.100 www netmask 255.255.255

static (inside,outside) tcp 1.1.1.58 https 10.0.0.100 https netmask 255.255

static (inside,outside) tcp 1.1.1.58 6667 10.0.0.102 6667 netmask 255.255.2

static (inside,outside) tcp 1.1.1.58 ldap 10.0.0.102 ldap netmask 255.255.2

static (inside,outside) tcp 1.1.1.58 ssh 10.0.0.102 ssh netmask 255.255.255

static (inside,outside) tcp 1.1.1.58 509 10.0.0.100 509 netmask 255.255.255

static (inside,outside) tcp 1.1.1.58 902 10.0.0.100 902 netmask 255.255.255

static (inside,outside) 1.1.1.59 10.0.0.101 netmask 255.255.255.255

access-group INPUT_ACL in interface outside

access-group OUTPUT_ACL in interface inside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 67.53.153.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

[/code]

cadet alain · ‎09-30-2012

Hi,

NAT from inside:10.0.0.102 to outside:10.0.0.102 flags iI

This means that it did identity NAT which is simply no NAT and so that's why your ping ain't working if you did it from

10.0.0.102.

Now why did it do this because normaly you have to specify that the traffic shouldn't be natted.

Is a ping from 10.0.0.101 is working ?

if it ain't can you do a clear xlate and try again.

Could you

also post output from following to get sure of the NAT statements:

show run global

show run nat

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-29-2012

Hi,

can you get rid of these 2 lines :

global (outside) 2 1.1.1.61

nat (inside) 2 10.0.0.102 255.255.255.255

then initiate a connection from inside and post output of sh xlate detail and sh conn detail

Regards.

Alain

Don't forget to rate helpful posts.

williamtwomey · ‎09-29-2012

Thanks, I tried pinging 8.8.8.8 from inside for this test

# sh conn detail

93 in use, 378 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,

E - outside back connection, F - outside FIN, f - inside FIN,

G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

k - Skinny media, M - SMTP data, m - SIP media, O - outbound data,

P - inside back connection, q - SQL*Net data, R - outside acknowledged F,

R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

s - awaiting outside SYN, T - SIP, t - SIP transient, U - up

ICMP outside:8.8.8.8/0 inside:10.0.0.102/29889

# sh xlate detail

9 in use, 16 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from inside:10.0.0.101 to outside:1.1.1.59 flags s

TCP PAT from inside:10.0.0.102/6667 to outside:1.1.1.58/6667 flags sr

TCP PAT from inside:10.0.0.102/389 to outside:1.1.1.58/389 flags sr

TCP PAT from inside:10.0.0.102/22 to outside:1.1.1.58/22 flags sr

NAT from inside:10.0.0.102 to outside:10.0.0.102 flags iI

Guessing the problem is with "NAT from inside:10.0.0.102 to outside:10.0.0.102 flags iI", not sure how to resolve this however to have it use outside:public-ip

williamtwomey · ‎09-30-2012

Would anyone happen to have a PIX 515 example config using NAT and PAT together?

cadet alain · ‎09-30-2012

Hi,

NAT from inside:10.0.0.102 to outside:10.0.0.102 flags iI

This means that it did identity NAT which is simply no NAT and so that's why your ping ain't working if you did it from

10.0.0.102.

Now why did it do this because normaly you have to specify that the traffic shouldn't be natted.

Is a ping from 10.0.0.101 is working ?

if it ain't can you do a clear xlate and try again.

Could you

also post output from following to get sure of the NAT statements:

show run global

show run nat

Regards.

Alain

Don't forget to rate helpful posts.

williamtwomey · ‎09-30-2012

clear xlate solved this, thanks a lot!

Both NAT and PAT are working now, with only the one global line.