cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
1
Helpful
3
Replies

PIX 515E not allowing NAT translations on local public subnet

abolis
Level 1
Level 1

Hello, I'm in the process of closing a big hole my predecessor left for me. I maintain a small school district's network that also provides Internet access to our local police. The initial setup was this:

Cisco 2800 Router (provided by ISP, non-configurable) as x.x.x.254 on our Class C.

--connected to--

SOHO hub (don't ask)

--connected to--

Two things, the outside if (x.x.x.250) of the PIX, which links to the primary VLAN (10.1.0.0/16) on the inside if, and a VLAN that the police were already hooked up to (10.7.0.0/16). Already the hole is evident; there's a complete bypass of the PIX available to anyone who can see it.

My first change was to remove the SOHO hub. I created another VLAN for the PIX, 2800, and the police dept. Now my problem stems from the police dept.'s need to get to webmail, as we provide their email accounts as well. The webmail system sits inside the PIX, with a static map between it's private IP and public IP (x.x.x.4), and the necessary ACLs to allow traffic in over port 80. The police dept.'s router/vpn box (x.x.x.100) sits in the same VLAN, subnet, etc., and can see the ISP's router with no problems, gets any Internet traffic they want, and the VPN tunnels are up and running. DNS resolves appropriately, but their systems will NOT go to ANY of my static NAT mappings. x.x.x.3, .4, .5, & .8 are all valid IPs used by the PIX to route traffic in, and from anywhere but the police dept., they work. There is no mention of x.x.x.100 in any of the PIX config, not in the global mappings for dynamic access, not in ACLs.

PIX config attached.

3 Replies 3

didyap
Level 6
Level 6

NAT translation does not take place until after the interface ACL is evaluated.

Note, though, that the ACLs for crypto-maps are evaluated -after- NAT; or at least that's true for outgoing NAT].

If you want to know more please click following URL:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6734/c2001/ccmigration_09186a00807d2758.pdf

OK. I understand now that NAT translations happen after ACLs are passed. That still does not resolve the issue. If I type the public IP address of my webmail server (x.x.x.4) from my home computer (y.y.y.180), I get to my webmail server. If I attach a system to the same subnet as the outside address of the PIX (the PIX is x.x.x.250, the test system is x.x.x.252) and attempt to access the webmail system (x.x.x.4), it times out. I put a static route in my test system for x.x.x.4, rebooted, no luck. I tested another address (x.x.x.5, my webserver) without said static route, no luck. I tried adding an ACL to the PIX to allow ALL ip traffic from the test system (x.x.x.252), still no luck. Any other thoughts?

maskmukesh
Level 1
Level 1

Hi Abolis,

Could you help me in understanding the scenario, like first u have a router which is connected to switch/hub, on this switch you pix outside interface is connected.

There is a vlan configured on the switch which contains the outside interface of PIX.

you have 254 public IP's available. and have u assigned any public IP to this vlan or outside interface of pix.

regards

Mukesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: