01-14-2008 11:26 AM - edited 03-11-2019 04:47 AM
hi all i'm experiencing problem in a pix515e
client on inside are natted with a pool of public addresses on outside interface and all works fine but if i try to access inside client with their public address fron another client in inside network with his different pubblic address doesn't work ... idem from dmz to inside ... otherwise from inside to dmz all works fine ... from outside i can access anything
is there any special command to make this ?
thank you
01-14-2008 12:03 PM
If I understand your question correctly, you want IP traffic to enter the Pix and then exit it using the same interface right? If so then the command 'same-security-traffic permit intra-interface' may solve your problem. This command permits communication in and out of the same interface, which is not enabled by default. The only caveat would be that the code must be at least at v7.0x as I don't believe this command existed in the v6.3(5) and previous code.
01-14-2008 12:25 PM
thank for your response ...
i've tried
pixfirewall(config)# same-security-traffic permit ?
configure mode commands/options:
inter-interface Permit communication between different interfaces with the
same security level
intra-interface Permit communication between VPN peers connected to the same
interface
pixfirewall(config)# same-security-traffic permit in
pixfirewall(config)# same-security-traffic permit inte
pixfirewall(config)# same-security-traffic permit inter-interface
pixfirewall(config)# same-security-traffic permit intra
pixfirewall(config)# same-security-traffic permit intra-interface
pixfirewall(config)#
but it doesn't work enough ! :(
01-14-2008 02:17 PM
Sorry this does not help your post, but I have the same issue.
Internal client trying to get to internal server via host name. The host name gets translated to the public address so it does not work. AHHHHH!
Anyone find any more on this?
Dave
01-14-2008 03:15 PM
So what I have figured out is this.
Using the same-security commands allows anyone on the same lan as the address that gets NAT'ed to get to the NAT'd address. Anyone not on that LAN cannot.
User A 10.7.7.20
Server 10.7.7.10=204.50.200.1=site.intweb.com
User B 10.6.6.20
User A can now get to http://site.intweb.com but user B cannot.
Anyone know what can be done here?
Dave
04-10-2008 10:02 PM
hi all, i've upgraded the ios in my pix but i can't arrive to the public natted address from inside interface ...
i've set same-security-traffic permit intra-interface command.
some ideas ?
this is my ver
pixfirewall# show version
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
thank you
04-21-2008 08:13 AM
Is the public address that you are trying to get to from the inside the public address of the PIX? If so, this will not work.
Can you post a bit of your config?
Dave
04-21-2008 10:51 PM
04-22-2008 06:55 AM
Roberto,
Can you tell me, based on the config you uploaded, which address is try to access which address?
Cheers!
Dave
04-22-2008 10:30 AM
if i try to ping 151.13.20.200 (static nat of 10.1.3.77) from himself i not receive response... if i ping from my house's dsl line i receive response and i can access service ...
if i try to ping another host (ex. 151.13.20.10 from 151.13.20.200 or from 151.13.20.200 try to ping 151.13.20.10 ) from inside network or from any network inside natted host (pool 151.13.20.50-151.13.20 250) doesn't work ...
:(
i've found this
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
but i must nat all the ip of inside network not just only one or two
01-15-2008 04:27 AM
maybe a bug in cisco ios ? :P
01-22-2008 02:29 PM
I'm having the same problem running 7.0(2) on a PIX 515e. I have a second routed network inside my LAN. The PIX inside interface is the default gateway for the network. When a device on the routed network - 192.168.1.x - tries to access servers on the LAN - 192.168.50.x, the PIX drops the packets. I see it in the logs.
I've tried the same-interface commands but no good. Anyone found anything yet?
01-22-2008 07:47 PM
Hi all,
Only PIX v7.2 or later supports "hairpinning" for unencrypted traffic,also you probably have to do NAT on the Inside interface. I just drew a diagram and wrote some code, but don't have PIX/ASA to test it, anybody could test the code,please post the result.
If it helps, please rate.
01-23-2008 06:38 AM
Thanks for the help. I had everything except the version. I'll upgrade and that should do it. Thanks again for the help.
01-23-2008 09:59 AM
I have two PIX's running in fail over mode with the below config and I still cannot get the hair pinning to work.
Again this is what I am trying to accomplish:
User A 10.7.7.20
Server 10.7.7.27=204.50.200.51=site.intweb.com
User B 10.7.4.20
User A can now get to http://site.intweb.com but user B cannot. User B cannot even ping the public address 204.50.200.51?
PIX-01# sh ver
Cisco PIX Security Appliance Software Version 7.2(3)
interface Ethernet0
nameif Outside
security-level 0
ip address 204.50.200.250 255.255.255.248 standby 204.50.200.251
!
interface Ethernet1
nameif inside
security-level 100
ip address 4.0.4.4 255.255.255.0 standby 4.0.4.5
!
access-list 101 extended permit ip any host 204.50.200.51
static (inside,Outside) 204.50.200.51 10.7.7.27 netmask 255.255.255.255 dns
global (Outside) 10 interface
global (inside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
nat (inside) 30 10.7.4.0 255.255.255.0
route inside 10.7.4.0 255.255.255.252 4.0.4.1 1
same-security-traffic permit intra-interface
Am I missing anything?
Dave
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: