cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
15
Replies

Pix 506E 6.3(3)need to pass networks without nat translation.

radutily1
Level 1
Level 1

We use 10.x.x.x network internally. Pix stands between two networks - 10.34.12.0/24 - outside one with security level 0 and 10.34.3.0/24 - inside one with security level 100. I need all ip's from 10.34.3.0 and 10.34.12.0 networks to pass trough firewall without any nat translation. Also network 10.34.12.0 should get access to another 10.x.x.x subnets within corporate network without any nat translations. What is the best way to achieve this?

1 Accepted Solution

Accepted Solutions

Well you just add static statements per network, or just change the previous suggestion to:-

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

That way all networks in the 10/8 are the same passing thru the firewall.

HTH>

View solution in original post

15 Replies 15

Try the following

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

nat (outside) 0 access-list outside_access_in

nat (inside) 0 access-list inside_access_out

Thanks

When I apply nat (outside) 0 access-list outside_access_in

I receive the following error message:

WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.

And I still not able to get access to hosts on 10.34.12.x net. I think as outside is a lower security level interface only static command can help. What do you think?

Thanks

can you post your current config, I think there is some confusing on which side the network's are and the direction of the NAT required?

Try using

nat (outside) 0 access-list outside_access_in outside

instead of

nat (outside) 0 access-list outside_access_in

Thanks

andrew.prince
Level 10
Level 10

Use a policy based no-nat translation config.

something like:-

access-list no-nat-internal permit ip 10.34.3.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list no-nat-internal permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (inside) 0 access-list no-nat-internal

HTH>

Hi guys,

I've implemented such commands on this firewall:

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0

nat (outside) 0 access-list outside_access_in outside

nat (inside) 0 access-list inside_access_out

But I'm still not able to get access to any hosts from inside to outside. Please find configuration details in attachment.

Your access-list and interface IP address make no sense, and are incorrect.

1) What IP subnets are on the inside?

2) What IP subnets are on the outside?

You also have a default route pointing to the inside- why? Are you sure you have inside & outside the correct way around?

Hi Andrew,

Inside subnet is 10.34.3.0/24

Outside subnet is 10.34.12.0/24

The default route on inside - it's simple a default route to another subnets in our network.

OK - so what is the issue?? Are there any other subnets on the outside that you want to connect to?

I think I understand now - after re-reading your initial post. Cut and past the config below and re-test:-

no nat (outside) 0 access-list outside_access_in outside

no nat (inside) 0 access-list inside_access_out

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.34.3.0 255.255.255.0

no access-list outside_access_in permit ip 10.34.12.0 255.255.255.0 10.0.0.0 255.0.0.0

no access-list inside_access_out permit ip 10.34.3.0 255.255.255.0 10.34.12.0 255.255.255.0

no access-list inside_access_out permit ip 10.0.0.0 255.0.0.0 10.34.12.0 255.255.255.0

static (inside,outside) 10.34.3.0 10.34.3.0 netmask 255.255.255.0

static (outside,inside) 10.34.12.0 10.34.12.0 netmask 255.255.255.0

HTH>

Yeah right, this could help but in that case firewall will do proxy arp featute that way it can crash these two networks. It may be a good point to use these static with proxy arp disabled on interfaces, but what to do with other 10.x.x.x networks ?

Well you just add static statements per network, or just change the previous suggestion to:-

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

That way all networks in the 10/8 are the same passing thru the firewall.

HTH>

Right this one should work with disabled proxy arp:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (outside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

sysopt noproxyarp outside

sysopt noproxyarp inside

Guys from that site have already left - will check on Monday ond provide you results.

Hi Guys. These configuration rows with disabled proxy arp resolved my problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: