Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
2
Replies

PIX 515e with two internal networks; PAT problems

gullevek1
Level 1
Level 1

‎04-26-2005 01:36 AM

Hi,

I have PIX 515e with OS 6.3(4) and I have one outside and two inside networks.

right now I have these settings (config excerpt):

...

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 half security50

...

access-list inside_access_in permit ip any any log interval 1

access-list half_access_in permit ip any any log interval 1

access-list outside_access_in permit ip any any log interval 1

...

global (outside) 10 interface

global (inside) 10 interface

global (half) 10 interface

nat (inside) 10 192.168.0.0 255.255.0.0 0 0

nat (half) 10 172.16.0.0 255.255.0.0 0 0

...

when I have this, I can access the internet from both sides, and I can access half from inside. But when I try to access inside from half it doesn't work (of course lower sec to higher). So I try to add this:

...

nat (half) 10 172.16.0.0 255.255.0.0 outside 0 0

...

but then I can't connect from inside to half anymore and I get "305005 No translation" error messages.

What do I do wrong? How can i have bi-directional PAT for the half interface.

Labels:
0 Helpful
2 Replies 2

lgijssel
Level 9
Level 9

‎04-26-2005 03:20 AM

I have never seen anyone using the command: global (inside) and it might not be required here either.

As you are using private ranges on inside & DMZ, there is no need to do nat between the two.

My suggestion would be to remove the global (inside) and global (half) commands.

Make an access-list describing what not-to-nat:

access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

Activate it through: nat (inside) 0 access-list nonat

Then configure the same access-list in opposite direction for the dmz:

access-list half-in permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

permitting dmz-inside communication, activate it through: access-group half-in in interface DMZ (half in your case)

This should about establish communcation between dmz and inside. You may want to restrict access a bit altering the acl's to meet your demands.

Regards,

Leo

0 Helpful

gullevek1
Level 1
Level 1
In response to lgijssel

‎04-26-2005 07:09 PM

I already tried this, but this just half solves the issue. When I do this, the half side sees the inside IPs as is (192. ...) and vica versa.

But I would prefer that they both get masqueraded, so servers in the half side see the IP from the interface of the PIX (172.16....) and not the 192... address (and vica versa.

If this is not possible, then I have to go with exemption NAT.

its just, at the moment still the old FW is running, so all boxes have a different GW, if I use no NAT rules, then most packages get routed to the wrong side and never come back to the sender.

0 Helpful
Customers Also Viewed These Support Documents