Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
3
Replies

Pix firewall issue

lecarbajalp
Level 1
Level 1

‎04-11-2013 04:59 PM - edited ‎03-11-2019 06:27 PM

Hello,

I'm trying to configure some firewall rules and a nat in our pix 525 and I'm having some issue with the connection

Here are the details:

172.40.40.40 destination host.

1.- I configured an ACL

ACL test 172.80.0.0 255.255.0.0 destination 172.40.40.40

ACL test 172.90.0.0 255.255.255.0 destination 172.40.40.40

inside interface IP 172.20.20.20

outside inteface IP 192.169.1.2

interfaces inside outside (ping and icmp are allow)

static (outside, inside) 172.40.40.40 172.40.40.40

nat (outside)  5 access-list test

global (inside) 5 interface

route inside 172.40.40.40 255.255.255.255 172.30.30.30

route outside 172.80.0.0 255.255.0.0 192.168.1.1

route outside 172.90.0.0 255.255.0.0 192.168.1.1

I'm trying to nat the traffic comming from the outside interface because we want to avoid interal ip conflicts, I'm seeing the hits on the ACL

but can not telnet from 172.80.0.1 to 172.40.40.40 , there are routes and porta enable for that connection

and my flag logs shown me SaAB from the destination host, what could be the problem?

We can ping between the destination host and the pix inside interface and the icmp is allow in all the interfaces.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-11-2013 09:36 PM

Hello,

Here is what you need:

no static (outside, inside) 172.40.40.40 172.40.40.40

static (inside,outside) 172.40.40.40 172.40.40.40

nat (outside)  5 access-list test outside

Let me know how it goes.. ALSO remember to rate all of the helpful posts "D

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

lecarbajalp
Level 1
Level 1
In response to Julio Carvajal

‎04-13-2013 11:21 AM

Hello Thank you for your help, we will try to apply that command in our test .

About our test the incoming connection from 172.90.0.0 are telnet session to 172.40.40.40

So we are doing a PAT for those connection (172.90.0.0 PAT to 172.30.30.29) my question is that kind of scheme and configuration is supported on Pix Firewall?

Here is the version: PIX 525

Cisco PIX Firewall Version 6.3(5)

This is the path

                                 MPLS                                    PIX                                              Destination HOST

subnet 172.90.0.0/16 ---- ------------------------- ACL TEST -PAT(172.30.30.29 inside inteface) --------  172.40.40.40 port 25

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to lecarbajalp

‎04-13-2013 01:33 PM

Hello,

What you are doing is supported,

Change those things and provide me the result,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card