PIX 515 : routing issue + NAT

Unanswered Question
Oct 12th, 2009
User Badges:

Hi all,


I have a routing + NAT issue with my PIX 515 (v7.2.4).

Indeed, i can't reach at the same time, my outside interface (Internet) and a subnetwork in my inside network using a router which has an ip on my inside network.

here is my conf :


PIX Version 7.2(4)

!

interface Ethernet0

nameif outside

security-level 0

ip address Public_IP 255.255.255.248

ospf cost 10

!

interface Ethernet1

description Office LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.10.254 255.255.255.0

ospf cost 10


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface



ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface VoIP-inside

ip verify reverse-path interface DMZ


icmp unreachable rate-limit 1 burst-size 1


icmp deny any outside

icmp permit any inside


global (outside) 1 interface


global (inside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0



access-group inbound in interface outside


route outside 0.0.0.0 0.0.0.0 203.XXX.XXX.XXX 1


route inside 10.0.100.0 255.255.252.0 10.10.10.29 1


Packet tracer show a NAT issue with the dynamic NAT policy but i don't know why.

When i remove the dynamic NAT policy, i can reach the subnetwork but no more internet...


Thanks

Best Regards,

Laurent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Mon, 10/12/2009 - 22:21
User Badges:
  • Cisco Employee,

Laurent,

can you clarify in more detail what you are trying to achieve, maybe with an example using actual ip addresses?

Can you also include the packet-tracer output please.

tnx

Herbert

IT-Volubill Tue, 10/13/2009 - 02:10
User Badges:

Hi,


I want to be able to access at the same time Internet (outside interface) and a subnetwork in my inside interface.

Example :

Inside network : 10.10.10.0/24

PIX inside : 10.10.10.254

IP of my router in the inside network : 10.10.10.29

Subnetwork behind my router : 10.0.100.0/24

To access outside, i have a Dynamic NAT, but with this Dynamic NAT enable then i can't ping the subnetwork while i can ping google.com for example.

If i remove the Dynamic NAT, then i can ping the subnetwork but i can't no more reach Internet (ping google.com not working).

As i have ios v7.2.4, i follow this guide : http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3 but enabling intra-interface communication is not sufficient.


Regards,

Laurent

dhananjoy chowdhury Tue, 10/13/2009 - 02:24
User Badges:
  • Silver, 250 points or more

Hi,

If its feasible, add a static route for reaching 10.0.100.0 pointing towards 10.10.10.29, on each system on the subnet 10.10.10.0.

Herbert Baerten Tue, 10/13/2009 - 02:35
User Badges:
  • Cisco Employee,

Ok, assuming you are pinging from 10.10.10.x, it would be easiest to simply use 10.10.10.29 as your default gw, so the inside-to-inside traffic does not pass the firewall.


However, if it is a requirement for this traffic to pass the fw, then I would advise to consider moving one of the inside networks to another firewall interface (if your license allows it).


Otherwise, I guess you would need something like:


no global (inside) 1 interface

global (inside) 2 interface

nat (inside) 2 0.0.0.0 0.0.0.0 outside


If that does not help, could you please provide the packet-tracer output (from the CLI) ?

Actions

This Discussion