Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
0
Helpful
2
Replies

Pix 515E and NAT

markraves
Level 1
Level 1

‎09-06-2007 12:22 PM - edited ‎03-05-2019 06:19 PM

Hello,

I'm currently bringing together my three management networks. Network 1 (With real IP addresses, hereby named RealNet) is already behind the firewall on the inside interface with security level 100. Working like a charm.

The two other nets are 172.16.17.0/24 (Fake2) , situated on eth2) and 172.16.18.0/24 (Fake3, situated on eth3).

What I want to do, is access Fake2 and Fake3 from RealNet. All the three interfaces have access level 100, but I can't seem to contact my hosts on fake2 & 3 at all. I've tried to set up some form of nat, just to try that, but shouldn't my pix recognize all it's nets? I'll post my config along, without any access rules, since they only apply from outside interface -> RealNet. Does anyone see any obvious faults?

Thanks,

Kind regards,

Markraves.

fw# sh run

: Saved

:

PIX Version 7.2(1)

!

hostname fw

!

interface Ethernet0

nameif mng_outside

security-level 0

ip address 90.xxx.90.2 255.255.255.192

!

interface Ethernet1

nameif RealNet

security-level 100

ip address 90.xxx.85.1 255.255.255.192

!

interface Ethernet2

nameif Fake2

security-level 100

ip address 172.16.17.1 255.255.255.0

!

interface Ethernet3

nameif Fake3

security-level 100

ip address 172.16.18.1 255.255.255.0

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.xx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging trap warnings

logging asdm informational

mtu mng_outside 1500

mtu RealNet 1500

mtu Fake2 1500

mtu Fake3 1500

no failover

icmp deny any echo mng_outside

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

global (mng_outside) 1 interface

nat (Fake3) 1 172.16.18.0 255.255.255.0

access-group outside_access_in_1 in interface mng_outside

route mng_outside 0.0.0.0 0.0.0.0 90.xxx.90.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username RealXXX password yep, i've got one. encrypted privilege 15

aaa authorization command LOCAL

http server enable

http 90.xxx.85.2 255.255.255.255 mng_inside

snmp-server location Hovden

snmp-server contact Noone

snmp-server community xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 30

ssh 90.xxx.85.2 255.255.255.255 RealNet

ssh 90.xxx.85.3 255.255.255.255 RealNet

ssh timeout 5

console timeout 5

management-access RealNet

dhcpd address 172.16.17.200-172.16.17.230 Fake2

dhcpd dns <<Some DNS Server>> interface Fake2

dhcpd domain xxx.xx interface Fake2

dhcpd enable Fake2

!

dhcpd address 172.16.18.200-172.16.18.230 Fake3

dhcpd dns <<Some DNS Address>> interface Fake3

dhcpd domain xxxx.xx interface Fake3

dhcpd enable Fake3

!

!

!

ntp server 90.xxx.85.3 source RealNet prefer

prompt hostname context

Cryptochecksum:xxx

: end

Labels:
0 Helpful
2 Replies 2

acomiskey
Level 10
Level 10

‎09-07-2007 12:29 PM

try...

static (RealNet,Fake2) 90.x.85.0 90.x.85.0 255.255.255.192

static (RealNet,Fake3) 90.x.85.0 90.x.85.0 255.255.255.192

0 Helpful

markraves
Level 1
Level 1
In response to acomiskey

‎09-25-2007 03:22 AM

Hello,

Sorry for posting so late, I had to put it away for some time. Other stuff to do.

Well, Now I've tried your two lines, (And I've removed my other nat rules, just to rule out other problems with it. I do a packet trace, and a telnet packet from RealNet to Fake1 works. (Finds no errors.) But I can't connect to anything on any of those two networks...

I just replaced some of the lines to the following:

static (RealNet,Fake2) 172.16.18.0 90.xxx.85.0 netmask 255.255.255.192

static (RealNet,Fake1) 172.16.17.0 90.xxx.85.0 netmask 255.255.255.192

That worked, but when I do a packet trace, it fails.

But somehow telnet works here.

??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card