Cisco Pix 515 Network translation not working low security high security

Unanswered Question
Apr 14th, 2009

Hi Experts, I have a network translation that is not working and I am hoping one of you can help me.

I need to access 192.168.8.27 from the 192.168.5.1 network, natted to 192.168.5.88.

This server needs to seen as 192.168.5.88

This translation works as well as any other 192.168.5.x translation:

static (dmz1,dmz3) 192.168.5.21 192.168.2.21 netmask 255.255.255.255

--- This is the Only one not working --

static (dmz2,dmz3) 192.168.5.88 192.168.8.27

Is it because instead of being "(high,low)low,high" is -- "(low,high)high,low"

I tried it the other way around as well and I can not seem to reach it.

------

Pix firewall with the following interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security66

nameif ethernet3 dmz2 security33

nameif ethernet4 dmz3 security40

nameif ethernet5 dmz4 security25

ip address outside 192.168.4.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address dmz1 192.168.2.1 255.255.254.0

ip address dmz2 192.168.8.1 255.255.255.0

ip address dmz3 192.168.5.1 255.255.255.0

ip address dmz4 192.168.6.1 255.255.255.0

I tried a permit ip any any and permit icmp any any but it seems based on debugs that is not translating correctly

Any help is appreciated.

Thank you,

Randall

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sdoremus33 Tue, 04/14/2009 - 22:40

you could try this

static(dmz2,dmz3) 192.168.5.88 192.168.5.88 netmask 255.255.255.2585

sdoremus33 Wed, 04/15/2009 - 00:49

2585, typo should be

static(dmz2,dmz3) 192.168.5.88 192.168.5.88 netmask 255.255.255. Take care

www.itnetcr Wed, 04/15/2009 - 05:45

Hi sdoremus33,

Thanks for the help. I have one doubt,

The ip address I need to nat is on dmz2 192.168.8.1 255.255.255.0 network.

The actual ip of the box is 192.168.8.27

if I use your static how do bind the 192.168.8.27 to the 192.168.5.88?...I'm lost... the box ip was 192.168.5.88, but maybe I'm wrong

Thanks a lot!

sdoremus33 Thu, 04/16/2009 - 10:56

So if the src=192.168.8.x where the box is .27, and the dst is 192.168.5.x. The dst device needs to see the src as 192.168.5.88. This instructs the ASA device to take the org src and nat to 192.168.5.88 from the original ip src@ 192.168.8.27 to the dst @192.168.5.x. Now the dest device will see the ip packet with a sourec @192.168.5.88. This is one of the isiosyncracies in Cisco ASA/Pix devices.HTH

sdoremus33 Fri, 04/17/2009 - 13:33

Randall

Was this helpful, my thinking was to take the devive that needed to be natted which was on the .8.x subnet and present this as .5.88 on dmz3. Just curious to see if this worked out for you. Thanks and have a great day

www.itnetcr Mon, 04/20/2009 - 09:55

Hi thanks for the help.

Hi Sdoremus33,

Thanks for all your help.

I tried it yesterday and no luck.

static(dmz2,dmz3) 192.168.5.88 192.168.5.88

also tried:

static(dmz2,dmz3) 192.168.8.27 192.168.8.27 didn't work.

Cl xl, clear local-h, allowed permit ip any any to test, didn't work

I even added another pc with a fresh XP install to test if it was a pc issue, couldn't get it work.

I have a big question mark on my head on why the heck id doesn't work :-).....

Eli Barb Fri, 07/17/2009 - 10:42

Did you ever figure this out? I'm hitting my head up against a similar scenario of low security-level interface to high security-level interface static NAT not working.

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet1 inside security100

nameif ethernet2 mgmtdmz security90

ip address inside 192.168.17.251 255.255.254.0

ip address mgmtdmz 172.31.0.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.0.0.0 192.168.16.1 1

route inside 172.16.0.0 255.240.0.0 192.168.16.1 1

route inside 192.168.0.0 255.255.0.0 192.168.16.1 1

access-list mgmtdmz-acl-in permit ip host 172.31.0.10 any

access-list mgmtdmz-acl-in permit icmp any any

access-list inside_access_in line 1 permit ip any host 192.168.17.254

access-list inside_access_in line 2 permit icmp any any

access-group inside_access_in in interface inside

access-group mgmtdmz-acl-in in interface mgmtdmz

static (mgmtdmz,inside) 192.168.17.254 172.31.0.10 netmask 255.255.255.255 0 0

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

www.itnetcr Fri, 07/17/2009 - 12:17

No buddy, couldn't figure it out. Had to do a cheesy workaround and move the server to another dmz.

Let me know if you figure it out!

Cheers,

Randall

EBarb,

I think the problem with this is your access-lists. The first line in each one is backwards. For example, the source in the one applied to the dmz is 172.31.0.10. From an interface perspective, that should be the destination. The inside one is only permitting icmp to go from inside to anywhere because of a similar issue.

Actions

This Discussion