PIX 515 - NAT Issue - Require urgent assistance

Answered Question
Apr 27th, 2008
User Badges:

Hi

Please check the attach configuration of PIX and Frame Relay Router connected on the DMZ-4 of PIX , actually servers inside are statically natted to the IPs on DMZ-4 Subnet , but I want to my Remote sites to reach 172.16.32.x/24 and 172.16.33.x/24 network without statically natted to DMZ-4 IP addresses I removed all the static commands from the DMZ-4 and putting these two commands

static (inside,DMZ5) 172.16.32.0 172.16.32.0 netmask 255.255.255.0 0 0

static (inside,DMZ5) 172.16.33.0 172.16.33.0 netmask 255.255.255.0 0 0

But its not working , I am unable to ping my remote sites and vice versa.

Regards



Correct Answer by froggy3132000 about 8 years 11 months ago

Nothing is being routed towards DMZ5 interface. Your WAN networks sit off of your DMZ4 network.


So your no NAT's should be


static (inside,DMZ4) 172.16.32.0 172.16.32.0

static (inisde,DMZ4) 172.16.33.0 172.16.33.0



All of you remote/WAN networks are routed through DMZ4 not DMZ5. Also since you have no default route on your router you need to add a route for the 172.16.33.0/24 network.


HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
rkalia1 Sun, 04/27/2008 - 08:40
User Badges:

Pls send a diagram if you can. Also pls elaborate further what you want to achieve.

asfar.zaidi Sun, 04/27/2008 - 09:03
User Badges:

I want all my Remote site networks which are connected to Head Office Router through Frame Relay can access all my servers which are behind the Inside interface of Firewall.

Currently they can access my servers because I have statically nat them to my DMZ-4 Interface. If i want to ping 172.16.33.11 which is my DC , I have to ping the natted IP that is 192.168.1.11 from the remote sites,

Now I want my remote sites to ping the original IP address that is 172.16.33.11 not the natted address 172.16.1.11

Thanks



rkalia1 Sun, 04/27/2008 - 08:42
User Badges:

You have configured Remote VPN but I dont see any Address Pool for the remote VPN clients.

Correct Answer
froggy3132000 Sun, 04/27/2008 - 08:47
User Badges:
  • Bronze, 100 points or more

Nothing is being routed towards DMZ5 interface. Your WAN networks sit off of your DMZ4 network.


So your no NAT's should be


static (inside,DMZ4) 172.16.32.0 172.16.32.0

static (inisde,DMZ4) 172.16.33.0 172.16.33.0



All of you remote/WAN networks are routed through DMZ4 not DMZ5. Also since you have no default route on your router you need to add a route for the 172.16.33.0/24 network.


HTH

rkalia1 Sun, 04/27/2008 - 09:25
User Badges:

Are u running Site-to-site VPN or remote VPN? As per your config it is Remote VPN but there is no IP Pool confgiured to give IP addresses to the clients. If you intend to run L2L VPN then remove dynamic map config. Configure Crypto properly and then configure command crypto isakmp enable DMZ4. Also, check that yuo have configured the crypto access-list at the remote end permitting those remote networks to the Inside networks at HQ. You should have all those networks in the VPN-NAT access-list the traffic from where needs to be encrypted and bypass the ACLs.

asfar.zaidi Sun, 04/27/2008 - 10:55
User Badges:

Thats Right my WAN network sit at DMZ 4


I configuered the same commands

static (inside,DMZ4) 172.16.32.0 172.16.32.0

static (inisde,DMZ4) 172.16.33.0 172.16.33.0


But its not working.

You mean to say I will configure a route on my WAN Router

ip route 172.16.33.0 255.255.255.0 172.16.1.254

I will try that


If you will see in the configuration there is


global (DMZ4) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Should I remove this PAT command

What impact will it make

asfar.zaidi Sun, 04/27/2008 - 11:02
User Badges:

Tell me one thing

My WAN Router Interface 172.16.1.1 is directly connected to my PIX DMZ-4 (172.16.1.254) if i try to ping my roter interface from inside network why I am unable to that?????

rkalia1 Sun, 04/27/2008 - 11:31
User Badges:

configure globally :


fixup protocol icmp


then you should be able to ping it.

asfar.zaidi Sun, 04/27/2008 - 11:56
User Badges:

ok i will try that

I have configur


static (inside,DMZ4) 172.16.32.0 172.16.32.0 netmask 255.255.255.0 0 0

static (inside,DMZ4) 172.16.33.0 172.16.33.0 netmask 255.255.255.0 0 0

But my question is that I agree that there is no route configuer on my router for 172.16.32.x and 172.16.33.x networks that I will configuer now but I have routes on my firewall to all my remote sites and thier next hop is WAN Router interface 172.16.1.1

. After putting No Nat for these 2 networks I should be able to ping my remote sites, am I right.


rkalia1 Sun, 04/27/2008 - 12:08
User Badges:

First you pls tell me that you are doing Remote VPN or Site-to-Site VPN. Form your configuration it is apparent that you have configured for Remote VPN but I dont see any IP address pool for the remote VPN clients. If you intend to do Site-to-Site VPNs then your configuration is wrong.

When u use site-to-site VPN then you use the nat 0 command to exclude the VPN traffic between the sites from any Natting. Then you use that access-list in the Crypto map match address command. This is just in brief. The Static command does not come in play in VPNs as the VPN traffic bypasses all the Nat automatically when you do the above as I described up here. Hope it is clear. Let me know if you need more clarification.

rkalia1 Sun, 04/27/2008 - 12:20
User Badges:

If you are running VPN tunnels between Inside network and the DMZ4 networks then you are also missing the command :


isakmp enable DMZ4


You need to remove :


isakmp enable outside

asfar.zaidi Sun, 04/27/2008 - 12:21
User Badges:

Bro its not the matter of VPN , I also know that configuration of VPN is not complete and I also know that no nat or nat 0 can be used to pass the VPN Traffic.

Right now my problem is to remove static natting from the DMZ-4 and make my inside networks available to my remote sites thats mean if any of my remote site wants to ping any IP on my inside network it can and it should not ping any natted ip for my inside network , remember one thing my sites are not connected through VPN they are connected through frame relay. I hope you got it now.

rkalia1 Sun, 04/27/2008 - 12:29
User Badges:

Sorry I was talking at a different wavelength and got it all wrong. As far as pinging is concerned once you have done the no nat using Static command and you have put the routes on the FR router for the inside networks pointing to the PIX's outside interface ping should work.

rkalia1 Sun, 04/27/2008 - 12:33
User Badges:

Also remove the following PAT commands. They nat everything from inside going to the DMZ4 side with the DMZ4 interface's IP address. So you wont be able to ping the real IPs on the inside from DMZ4 networks.



global (DMZ4) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


asfar.zaidi Sun, 04/27/2008 - 12:38
User Badges:

Its nice that finally we are same wave length ok...... i ca not remove

global (DMZ4) 1 interface

as my DMZ5 is also patted to interface DMZ4



Ok what about the branch routers I think I need to configuer route there also for my inside network

asfar.zaidi Sun, 04/27/2008 - 12:42
User Badges:

So finally my config will look like this


global (DMZ4) 1 interface

nat (DMZ5) 1 172.16.41.0 255.255.255.0 0 0

static (inside,DMZ4) 172.16.32.0 172.16.32.0 netmask 255.255.255.255 0 0

static (inside,DMZ4) 172.16.33.0 172.16.33.0 netmask 255.255.255.255 0 0

access-list ACL-DMZ4 permit icmp any any echo-reply

access-list ACL-DMZ4 permit icmp any any echo

access-list ACL-DMZ4 permit udp any any eq domain

access-list ACL-DMZ4 permit tcp any any eq www

access-list ACL-DMZ4 permit tcp any any eq 8080

access-list ACL-DMZ4 permit tcp any any eq https

access-list ACL-DMZ4 permit tcp any any eq domain

access-list ACL-DMZ4 permit tcp any any eq smtp

access-list ACL-DMZ4 permit ip any any

access-group ACL-DMZ4 in interface DMZ4




Regards

rkalia1 Sun, 04/27/2008 - 12:45
User Badges:

use the following :


global (DMZ4) 2 interface

nat (DMZ5) 2 172.16.41.0 255.255.255.0 0 0


Then get rid of the other nat/global commands for inside PAT to DMZ4. Branch routers should have default route to the FR router side and the FR router should have the routes to the outside interface of the PIX for your inside networks.

rkalia1 Sun, 04/27/2008 - 12:46
User Badges:

yes your config looks ok now after you got rid of the PAT for inside network.

asfar.zaidi Sun, 04/27/2008 - 12:48
User Badges:

Hey , what difference will it make by changing the instance from 1 to 2

rkalia1 Sun, 04/27/2008 - 13:08
User Badges:

no difference. you r good to go now. things should work once u have removed nat (inside) 1 command

Actions

This Discussion