cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
4
Replies

Nat in Pix 515

markraves
Level 1
Level 1

Hello,

I'm running a pix 515E for management purposes. I have several nets, one outside, and three inside. I've set up nat between them, since my inside0 has real ip addresses, and 1 & 2 has private addresses. This is working brilliantly.

My problem is a third private net.

It's located behind a 3750. I can reach it (172.18.18.0 -> 172.18.18.10 - loopback interfaces) from the 3750, (their directly connected in some of the interfaces) but not from the rest of the units (e.g. my supervisor server). I'm thinking of reaching these via nat in the pix. But no matter what I try, I just can't seem to reach the 172... addresses from my 90.x.x.x network. The mng vlan is terminated on a vlan interface in the 3750 router.

Any pointers would do me great;=)

\\mark

4 Replies 4

andrew.prince
Level 10
Level 10

Mark,

Do you have static routes in the PIX for the remote net poing to your internal default gateway?

someting like:-

Internal default Layer 3 router - 172.16.1.1

IP Subnet behind the 3750 - 172.18.18.0

PIX config:-

route inside 172.18.18.0 255.255.255.0 172.16.1.1

HTH.

Hi,

Thanks for reply. Sorry for answering late, I'was taking a couple of days off;=)

Here's my current config regarding the matter:

interface Ethernet1

nameif mng_inside

security-level 100

ip address 90.x.x.1 255.255.255.192

global (mng_outside) 1 interface

static (mng_inside,RadioMan) 172.16.18.0 90.x.x.0 netmask 255.255.255.192 // THis line works

static (mng_inside,AlliedMan) 172.16.17.0 90.x.x.0 netmask 255.255.255.192 //This line works

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0 //This line errors

access-group outside_access_in_1 in interface mng_outside

route mng_outside 0.0.0.0 0.0.0.0 128.x.x.1 10

route mng_outside 172.16.16.16 255.255.255.255 128.x.x.1 9

route mng_inside 172.16.16.17 255.255.255.255 172.16.16.17 1

route mng_inside 172.18.18.0 255.255.255.0 90.x.x.1 1

During a packet trace, I get this error:

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0 match ip mng_inside 172.18.18.0 255.255.255.0 mng_inside any static translation to 90.x.x.0 translate_hits = 0, untranslate_hits = 38

I've also tried the following line instead:

static (mng_inside,mng_inside) 172.18.18.0 90.x.x.0 netmask 255.255.255.192

This do not result in a packet trace error - the packet tracer gently confirms that the packet is allowed.

What I'm thinking - since the 172.18.18.0 network is behind the 90.x.x.12 address, maybe my route in the pix should be route inside 17.28.18.0 255.255.255.192 90.x.x.12 ?

*trying*

The lines:-

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0

and

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0

Will just not work - what exactly are you trying to do?

hi, no ingles solo español, check security level the interface.

Bye

Ruben.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: