Security Context - NATing issues

Unanswered Question
May 1st, 2008

Hi All,

I have configured two contexts on PIX, i.e. one for Admin and one for Client. I have configured two sub interfaces and assigned VLANs to use for inside networks whereas i have shared outside interface between two contexts.

Now i am confuse about the NATing part for this design.I am able to access the internet from admin context. However not able to telnet my ISP router from my network. I have assigned tow ip networks to the inside interface of the ISP rotuers i.e. 10.10.10.X and public ip range. Now if i telent on public ip it works where as if i telent on 10.10.10.X network it won't work. Also my radius is stop authenticating on the router. i am able to ping raidus server from the router.

Could you please help me to solve this issue.

Adm Ctx:

interface Inside_adm

nameif inside

security-level 100

ip address 10.126.1.17 255.255.255.0

!

interface outside_adm

nameif outside

security-level 0

ip address 10.10.10.201 255.255.255.0

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

i have not using NAT on PIX.

ISP router:

interface FastEthernet0/0

ip address 203.88.99.101 255.255.255.240 secondary

ip address 10.10.10.4 255.255.255.0

ip nat inside

ip nat pool Test XXXX netmask 255.255.255.240

ip nat inside source list 1 pool Test overload

Ip rotue 10.126.1.0 255.255.255.0 10.10.10.200

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick Laidlaw Fri, 05/02/2008 - 17:12

Hello,

so I'm noticing on your ISP router it is doing the natting right now for you. I'm assuming your not trying to do double nat out to the internet so you need to do a nat exemption on your PIX/ASA

can you confirm this little traffic drawing.

HOSTA10.126.1.X --> 10.126.1.17 PIX 10.10.10.201--> 10.10.10.4 ISPRTR --> Internet

I also notice that your ip route on the isp router is pointed to 200 instead of 201.

Actions

This Discussion