09-06-2007 12:22 PM - edited 03-05-2019 06:19 PM
Hello,
I'm currently bringing together my three management networks. Network 1 (With real IP addresses, hereby named RealNet) is already behind the firewall on the inside interface with security level 100. Working like a charm.
The two other nets are 172.16.17.0/24 (Fake2) , situated on eth2) and 172.16.18.0/24 (Fake3, situated on eth3).
What I want to do, is access Fake2 and Fake3 from RealNet. All the three interfaces have access level 100, but I can't seem to contact my hosts on fake2 & 3 at all. I've tried to set up some form of nat, just to try that, but shouldn't my pix recognize all it's nets? I'll post my config along, without any access rules, since they only apply from outside interface -> RealNet. Does anyone see any obvious faults?
Thanks,
Kind regards,
Markraves.
fw# sh run
: Saved
:
PIX Version 7.2(1)
!
hostname fw
!
interface Ethernet0
nameif mng_outside
security-level 0
ip address 90.xxx.90.2 255.255.255.192
!
interface Ethernet1
nameif RealNet
security-level 100
ip address 90.xxx.85.1 255.255.255.192
!
interface Ethernet2
nameif Fake2
security-level 100
ip address 172.16.17.1 255.255.255.0
!
interface Ethernet3
nameif Fake3
security-level 100
ip address 172.16.18.1 255.255.255.0
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap warnings
logging asdm informational
mtu mng_outside 1500
mtu RealNet 1500
mtu Fake2 1500
mtu Fake3 1500
no failover
icmp deny any echo mng_outside
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (mng_outside) 1 interface
nat (Fake3) 1 172.16.18.0 255.255.255.0
access-group outside_access_in_1 in interface mng_outside
route mng_outside 0.0.0.0 0.0.0.0 90.xxx.90.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username RealXXX password yep, i've got one. encrypted privilege 15
aaa authorization command LOCAL
http server enable
http 90.xxx.85.2 255.255.255.255 mng_inside
snmp-server location Hovden
snmp-server contact Noone
snmp-server community xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 30
ssh 90.xxx.85.2 255.255.255.255 RealNet
ssh 90.xxx.85.3 255.255.255.255 RealNet
ssh timeout 5
console timeout 5
management-access RealNet
dhcpd address 172.16.17.200-172.16.17.230 Fake2
dhcpd dns <<Some DNS Server>> interface Fake2
dhcpd domain xxx.xx interface Fake2
dhcpd enable Fake2
!
dhcpd address 172.16.18.200-172.16.18.230 Fake3
dhcpd dns <<Some DNS Address>> interface Fake3
dhcpd domain xxxx.xx interface Fake3
dhcpd enable Fake3
!
!
!
ntp server 90.xxx.85.3 source RealNet prefer
prompt hostname context
Cryptochecksum:xxx
: end
09-07-2007 12:29 PM
try...
static (RealNet,Fake2) 90.x.85.0 90.x.85.0 255.255.255.192
static (RealNet,Fake3) 90.x.85.0 90.x.85.0 255.255.255.192
09-25-2007 03:22 AM
Hello,
Sorry for posting so late, I had to put it away for some time. Other stuff to do.
Well, Now I've tried your two lines, (And I've removed my other nat rules, just to rule out other problems with it. I do a packet trace, and a telnet packet from RealNet to Fake1 works. (Finds no errors.) But I can't connect to anything on any of those two networks...
I just replaced some of the lines to the following:
static (RealNet,Fake2) 172.16.18.0 90.xxx.85.0 netmask 255.255.255.192
static (RealNet,Fake1) 172.16.17.0 90.xxx.85.0 netmask 255.255.255.192
That worked, but when I do a packet trace, it fails.
But somehow telnet works here.
??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: