Pix 515E and NAT

Unanswered Question
Sep 6th, 2007
User Badges:


I'm currently bringing together my three management networks. Network 1 (With real IP addresses, hereby named RealNet) is already behind the firewall on the inside interface with security level 100. Working like a charm.

The two other nets are (Fake2) , situated on eth2) and (Fake3, situated on eth3).

What I want to do, is access Fake2 and Fake3 from RealNet. All the three interfaces have access level 100, but I can't seem to contact my hosts on fake2 & 3 at all. I've tried to set up some form of nat, just to try that, but shouldn't my pix recognize all it's nets? I'll post my config along, without any access rules, since they only apply from outside interface -> RealNet. Does anyone see any obvious faults?


Kind regards,


fw# sh run

: Saved


PIX Version 7.2(1)


hostname fw


interface Ethernet0

nameif mng_outside

security-level 0

ip address 90.xxx.90.2


interface Ethernet1

nameif RealNet

security-level 100

ip address 90.xxx.85.1


interface Ethernet2

nameif Fake2

security-level 100

ip address


interface Ethernet3

nameif Fake3

security-level 100

ip address


interface Ethernet4


no nameif

no security-level

no ip address


interface Ethernet5


no nameif

no security-level

no ip address


ftp mode passive

dns server-group DefaultDNS

domain-name xxx.xx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging trap warnings

logging asdm informational

mtu mng_outside 1500

mtu RealNet 1500

mtu Fake2 1500

mtu Fake3 1500

no failover

icmp deny any echo mng_outside

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

global (mng_outside) 1 interface

nat (Fake3) 1

access-group outside_access_in_1 in interface mng_outside

route mng_outside 90.xxx.90.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username RealXXX password yep, i've got one. encrypted privilege 15

aaa authorization command LOCAL

http server enable

http 90.xxx.85.2 mng_inside

snmp-server location Hovden

snmp-server contact Noone

snmp-server community xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 30

ssh 90.xxx.85.2 RealNet

ssh 90.xxx.85.3 RealNet

ssh timeout 5

console timeout 5

management-access RealNet

dhcpd address Fake2

dhcpd dns <<Some DNS Server>> interface Fake2

dhcpd domain xxx.xx interface Fake2

dhcpd enable Fake2


dhcpd address Fake3

dhcpd dns <<Some DNS Address>> interface Fake3

dhcpd domain xxxx.xx interface Fake3

dhcpd enable Fake3




ntp server 90.xxx.85.3 source RealNet prefer

prompt hostname context


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 09/07/2007 - 12:29
User Badges:
  • Green, 3000 points or more


static (RealNet,Fake2) 90.x.85.0 90.x.85.0

static (RealNet,Fake3) 90.x.85.0 90.x.85.0

markraves Tue, 09/25/2007 - 03:22
User Badges:


Sorry for posting so late, I had to put it away for some time. Other stuff to do.

Well, Now I've tried your two lines, (And I've removed my other nat rules, just to rule out other problems with it. I do a packet trace, and a telnet packet from RealNet to Fake1 works. (Finds no errors.) But I can't connect to anything on any of those two networks...

I just replaced some of the lines to the following:

static (RealNet,Fake2) 90.xxx.85.0 netmask

static (RealNet,Fake1) 90.xxx.85.0 netmask

That worked, but when I do a packet trace, it fails.

But somehow telnet works here.



This Discussion