04-26-2005 01:36 AM
Hi,
I have PIX 515e with OS 6.3(4) and I have one outside and two inside networks.
right now I have these settings (config excerpt):
...
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 half security50
...
access-list inside_access_in permit ip any any log interval 1
access-list half_access_in permit ip any any log interval 1
access-list outside_access_in permit ip any any log interval 1
...
global (outside) 10 interface
global (inside) 10 interface
global (half) 10 interface
nat (inside) 10 192.168.0.0 255.255.0.0 0 0
nat (half) 10 172.16.0.0 255.255.0.0 0 0
...
when I have this, I can access the internet from both sides, and I can access half from inside. But when I try to access inside from half it doesn't work (of course lower sec to higher). So I try to add this:
...
nat (half) 10 172.16.0.0 255.255.0.0 outside 0 0
...
but then I can't connect from inside to half anymore and I get "305005 No translation" error messages.
What do I do wrong? How can i have bi-directional PAT for the half interface.
04-26-2005 03:20 AM
I have never seen anyone using the command: global (inside) and it might not be required here either.
As you are using private ranges on inside & DMZ, there is no need to do nat between the two.
My suggestion would be to remove the global (inside) and global (half) commands.
Make an access-list describing what not-to-nat:
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
Activate it through: nat (inside) 0 access-list nonat
Then configure the same access-list in opposite direction for the dmz:
access-list half-in permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
permitting dmz-inside communication, activate it through: access-group half-in in interface DMZ (half in your case)
This should about establish communcation between dmz and inside. You may want to restrict access a bit altering the acl's to meet your demands.
Regards,
Leo
04-26-2005 07:09 PM
I already tried this, but this just half solves the issue. When I do this, the half side sees the inside IPs as is (192. ...) and vica versa.
But I would prefer that they both get masqueraded, so servers in the half side see the IP from the interface of the PIX (172.16....) and not the 192... address (and vica versa.
If this is not possible, then I have to go with exemption NAT.
its just, at the moment still the old FW is running, so all boxes have a different GW, if I use no NAT rules, then most packages get routed to the wrong side and never come back to the sender.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide