PIX 515E NAT problem

nicholas.hoelz · ‎02-09-2007

I have a PIX 525E with IOS 6.3.

We've just recently installed a point-to-point T1 that is terminated with 2 Cisco 2610XM routers with VWIC-1MFT-T1 cards (IOS = 12.2).

The two networks at the remote end of the T1 connection can access all resources at the other end (corporate networks) with no problem. Remote nodes can even ping the inside interface of the PIX.

I have a nat (inside) 1 0.0.0.0 0.0.0.0 statement on the PIX to translate everything from the inside networks.

The problem is that the PIX is not applying NAT to the two new networks at the remote end of the T1.

Oddly enough, we have a 100Mb Native LAN WAN link to anoter remote office and I'm using the same logic there and it works just fine.

Anybody see this before and what did you do to fix it?

Thanks.

vitripat · ‎02-09-2007

looks like following scenario:

internet--PIX-corp net-router(two networks)

does the router has the default gateway pointing to PIX inside interface IP? If the traffic from the two remote networks is directed towards PIX, and there is no access-list on the inside network blocking the two remote networks, there shouldnt be any issue with creation of translation.

nicholas.hoelz · ‎02-12-2007

The physical layout is:

Internet Router -> Pix -> Internal Core Router -> Router to Remote Networks.

There is no access-list that would block Internet traffic from the remote networks and the PIX is aware of the two remote networks.

The router connected to the corporate network uses the Internal Core Router as the default gateway.

Thanks again.

vitripat · ‎02-12-2007

Internet Router

---------------

|

---------

PIX

---------

|

Corp. Router

|

Nw1------Remote Router------NW2

Assuming that gateway of remote router is the Corp. Router, and gateway of Corp. Router is PIX inside interface, if hosts from NW1 & NW2 send internet request, it should reach the PIX. Are there any logs/syslogs which show that traffic is reaching PIX and translation is failing?

Jon Marshall · ‎02-12-2007

Hi

If you run a debug on the inside interface of the pix can you see packets coming from the remote networks.

Is this the only NAT statement you have on your Pix firewall ?

Jon

nicholas.hoelz · ‎02-12-2007

No entries in the syslog about NAT failure.

There aren't even any entries for "IP_ADDRESS accessed URL ..." but I know that the routing is working correctly because a host at the remote site can ping the inside interface of the pix and vice-versa. However, users in the remote networks cannot ping the Pix's DG (internet router) but all users on the corporate networks can.

There are three NAT statements on the firewall:

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list ACL1

nat (dmz) 0 access-list ACL2

Additionally, users in the affected remote networks are able to access resources in the DMZ so NAT'ing is working there as expected.

vitripat · ‎02-12-2007

Could you give the output of these commands-

show ip

show route

show access-list

show access-group

show nat

show global

nicholas.hoelz · ‎02-13-2007

I found the problem while double checking the access-lists.

Typically I don't setup "any" rules but I was pressed for time on this project and took the quick and easy way out and created a NoNat access-list entry for the two new networks with a destination of "any" instead of specific network they need to get to through a VPN connection.

Thanks.