09-24-2008 08:44 AM - edited 03-06-2019 01:34 AM
I am fairly new to the PIX 501 and so this is the first time I have run up against this type of issue. I have installed a PIX 501 for a client with a small network. The firewall has the 10-user license. Not long after that they had an issue where a user could not connect to the Internet. Near as I could tell this was because of the licensing limitation on the router.
However it's not clear how the ten xlate connections were used up, because their network only has eight computers and one server which communicate through the firewall. They do have a wireless access point, which could cause the number of connections to go over ten.
It also seemed that the server was taking up two licenses because it has both a physical network adapter and a virtual network adapter created by the VPN service (Windows RRAS).
We were able to resolve the issue by shortening the xlate timeout to 15 minutes, removing the wireless access point and disabling the virtual network adapter.
Now my question is:
How do we configure the network so that the virtual network adapter on the server does not make connections through the firewall?
Thanks for any assistance you can provide.
Solved! Go to Solution.
09-24-2008 03:12 PM
it is possible to make your server virtual ip not use global interface for nat.
your firewall probably nats all inside hosts via outside interface as follow.
global (outside) 1 interface
nat (inside) 1 0 0
above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.
now if you want one system IP address not to use global the make it a no nat host in the firewall.
you can do it like this.
create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20
pdm location 10.20.20.20 255.255.255.255 inside
nat (inside) 0 10.20.20.20 255.255.255.255
0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.
after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.
Rgds
Jorge
PLS rate any helpful posts
09-24-2008 03:12 PM
it is possible to make your server virtual ip not use global interface for nat.
your firewall probably nats all inside hosts via outside interface as follow.
global (outside) 1 interface
nat (inside) 1 0 0
above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.
now if you want one system IP address not to use global the make it a no nat host in the firewall.
you can do it like this.
create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20
pdm location 10.20.20.20 255.255.255.255 inside
nat (inside) 0 10.20.20.20 255.255.255.255
0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.
after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.
Rgds
Jorge
PLS rate any helpful posts
09-25-2008 03:22 PM
Thanks Jorge for your help, that is great. Now what I find is that the problem is that I need to exclude from NAT not just the one IP address that gets assigned to the virtual PPP adapter associated with RRAS--I need to exclude an entire range of IP addresses which are handed out by DHCP to remote access users for use on the network.
In this case, I have defined the pool of IP addresses from 192.168.71.201-220 for use by remote access clients. How do I describe this range in my config file using the command you recommended?
Thanks in advance for any assistance you can provide.
09-25-2008 03:36 PM
You can use
nat (inside) 0 192.168.71.192 255.255.255.224
this would cover hosts
192.168.7.193 -> 192.168.7.223
This is as close as you can get with an individual statement. If you must match just those specific addresses
nat (inside) 0 192.168.71.200 255.255.255.248
nat (inside) 0 192.168.71.208 255.255.255.248
nat (inside) 0 192.168.71.216 255.255.255.252
nat (inside) 0 192.168.71.220 255.255.255.255
Jon
09-26-2008 02:01 PM
Zac, sorry for late reply but I can see my friend Jon covered it and do agree with his proposed nat statments.. try that and it should cover those ranges.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide