pix 506e static NAT help

Unanswered Question
Mar 5th, 2007

Hi.

I've configured a one-to-one static NAT on pix 506E ,the design looks like this:internet-->cisco1841-->pix506E , the 1841 lan interface has 4 segment public networks, the pix wan interface used one of these segments, I config an static nat on the pix as: static (inside,outside) 2.75.15.227 192.10.7.88 netmask 255.255.255.255 , if the public address belong to the pix wan interface segment,the static NAT well, if the public address not belong to the pix wan interface segment,the static NAT can't use, the local machine that have the real ip can't access internet, but from internet can ping the mapped public address

1841 config as :

Router#show run

Building configuration...

version 12.4

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

username cisco privilege 15 secret xxx

!

!

!

interface FastEthernet0/0

ip address 169.x.64.x.255.255.252

speed 10

full-duplex

!

interface FastEthernet0/1

ip address 2.170.x.x.255.255.248 secondary

ip address 2.235.x.x.255.255.248 secondary

ip address 2.75.x.x.255.255.248 secondary

ip address 2.75.x.x.255.255.240

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 169.254.64.25

ip route 2.75.x.x.255.255.255 FastEthernet0/1

ip route 2.75.x.x.255.255.255 FastEthernet0/1

ip route 2.235.x.x.255.255.255 FastEthernet0/1

ip route 2.235.x.x.255.255.255 FastEthernet0/1

!

ip http server

ip http timeout-policy idle 60 life 86400 requests 10000

!

control-plane

-----------------------------------------

pix config :

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx

......

names

access-list 110 permit ip any any

access-list 110 permit tcp any any

access-list 111 deny ip 192.10.7.0 255.255.255.0 2.170.130.16 255.255.255.248

access-list 111 deny ip 192.10.7.0 255.255.255.0 2.75.15.224 255.255.255.240

access-list 111 deny ip 192.10.7.0 255.255.255.0 2.75.18.96 255.255.255.248

access-list 111 deny ip 192.10.7.0 255.255.255.0 2.235.57.8 255.255.255.248

access-list 111 permit ip any any

pager lines 24

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 2.75.x.x.255.255.0

ip address inside 192.10.7.254 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 access-list 111 0 0

alias (inside) 192.10.7.246 2.75.15.230 255.255.255.255

alias (inside) 192.10.7.8 2.75.15.228 255.255.255.255

static (inside,outside) 2.x.130.18 192.10.7.207 netmask 255.255.255.255 0 0

static (inside,outside) 2.170.130.20 192.10.7.208 netmask 255.255.255.255 0 0

static (inside,outside) 2.170.130.21 192.10.7.206 netmask 255.255.255.255 0 0

static (inside,outside) 2.75.15.227 192.10.7.88 netmask 255.255.255.255 0 0

#----------------------this command can't work,if change the mapped public address to 2.75.18.99,then OK

static (inside,outside) 2.75.15.228 192.10.7.8 netmask 255.255.255.255 0 0

static (inside,outside) 2.75.15.229 192.10.7.7 netmask 255.255.255.255 0 0

static (inside,outside) 2.75.15.230 192.10.7.246 netmask 255.255.255.255 0 0

access-group 110 in interface outside

access-group 110 in interface inside

route outside 0.0.0.0 0.0.0.0 2.75.18.98 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Mon, 03/05/2007 - 15:45

If you are able to ping the public ip from the Internet, then the Internet access for the host shud also work.

Could be a DNS issue. Try pinging 4.2.2.2 from the host .

-Kanishka

nianqing212 Tue, 03/06/2007 - 07:54

When I am ping 4.2.2.2 it also time out,

I've asked cisco engineer at cisco PHO website ,He told me the mapped ip address must belong to the same segment with it's wan interface ip address

vitripat Tue, 03/06/2007 - 08:22

Its not necessary. If your mapped IP address is not in the same subnet as the outside network, all you neeed is a "route" on the outside router, routing traffic for the mapped IP/network to the outside interface IP of PIX. If that is in place, you need to make sure that-

- the mapped IP address is not in use any where else.

- clear the ARP cache on the outside router.

- try pinging the mapped IP address from the router with ICMP debugs enabled on PIX. This will show if router is routing the packets correctly.

- verify with your ISP that the mapped IP addresses are registered for use by you and are routable accordingly.

Regards,

Vibhor.

nianqing212 Wed, 03/07/2007 - 01:53

the pix's neighbor is the cisco 1841 ,it's has four subnet, the one of them in the same subnet as the pix mapped ip address ,so I think the "route" is not necessary.

So the reason is the remain other, the error is not related with pix and router config, is it ?

Actions

This Discussion