Pix 515E and NAT

Unanswered Question
Sep 6th, 2007

Hello,

I'm currently bringing together my three management networks. Network 1 (With real IP addresses, hereby named RealNet) is already behind the firewall on the inside interface with security level 100. Working like a charm.

The two other nets are 172.16.17.0/24 (Fake2) , situated on eth2) and 172.16.18.0/24 (Fake3, situated on eth3).

What I want to do, is access Fake2 and Fake3 from RealNet. All the three interfaces have access level 100, but I can't seem to contact my hosts on fake2 & 3 at all. I've tried to set up some form of nat, just to try that, but shouldn't my pix recognize all it's nets? I'll post my config along, without any access rules, since they only apply from outside interface -> RealNet. Does anyone see any obvious faults?

Thanks,

Kind regards,

Markraves.

fw# sh run

: Saved

:

PIX Version 7.2(1)

!

hostname fw

!

interface Ethernet0

nameif mng_outside

security-level 0

ip address 90.xxx.90.2 255.255.255.192

!

interface Ethernet1

nameif RealNet

security-level 100

ip address 90.xxx.85.1 255.255.255.192

!

interface Ethernet2

nameif Fake2

security-level 100

ip address 172.16.17.1 255.255.255.0

!

interface Ethernet3

nameif Fake3

security-level 100

ip address 172.16.18.1 255.255.255.0

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.xx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging trap warnings

logging asdm informational

mtu mng_outside 1500

mtu RealNet 1500

mtu Fake2 1500

mtu Fake3 1500

no failover

icmp deny any echo mng_outside

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

global (mng_outside) 1 interface

nat (Fake3) 1 172.16.18.0 255.255.255.0

access-group outside_access_in_1 in interface mng_outside

route mng_outside 0.0.0.0 0.0.0.0 90.xxx.90.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username RealXXX password yep, i've got one. encrypted privilege 15

aaa authorization command LOCAL

http server enable

http 90.xxx.85.2 255.255.255.255 mng_inside

snmp-server location Hovden

snmp-server contact Noone

snmp-server community xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 30

ssh 90.xxx.85.2 255.255.255.255 RealNet

ssh 90.xxx.85.3 255.255.255.255 RealNet

ssh timeout 5

console timeout 5

management-access RealNet

dhcpd address 172.16.17.200-172.16.17.230 Fake2

dhcpd dns <<Some DNS Server>> interface Fake2

dhcpd domain xxx.xx interface Fake2

dhcpd enable Fake2

!

dhcpd address 172.16.18.200-172.16.18.230 Fake3

dhcpd dns <<Some DNS Address>> interface Fake3

dhcpd domain xxxx.xx interface Fake3

dhcpd enable Fake3

!

!

!

ntp server 90.xxx.85.3 source RealNet prefer

prompt hostname context

Cryptochecksum:xxx

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 09/07/2007 - 12:29

try...

static (RealNet,Fake2) 90.x.85.0 90.x.85.0 255.255.255.192

static (RealNet,Fake3) 90.x.85.0 90.x.85.0 255.255.255.192

markraves Tue, 09/25/2007 - 03:22

Hello,

Sorry for posting so late, I had to put it away for some time. Other stuff to do.

Well, Now I've tried your two lines, (And I've removed my other nat rules, just to rule out other problems with it. I do a packet trace, and a telnet packet from RealNet to Fake1 works. (Finds no errors.) But I can't connect to anything on any of those two networks...

I just replaced some of the lines to the following:

static (RealNet,Fake2) 172.16.18.0 90.xxx.85.0 netmask 255.255.255.192

static (RealNet,Fake1) 172.16.17.0 90.xxx.85.0 netmask 255.255.255.192

That worked, but when I do a packet trace, it fails.

But somehow telnet works here.

??

Actions

This Discussion