Pix501 nat config question

Answered Question
Feb 27th, 2010

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 9 months ago

You cannot do this

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

pls. change that line to this

static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0  --> static pat

If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.

-KS

Correct Answer by Kureli Sankar about 6 years 9 months ago

Jon had given you the following:

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.

access-list outside-acl permit icmp any any

access-group outside-acl in int outside

Once done you can ping from the inside and get a response.  Make sure the inside is higher level security than the outside.

-KS

Correct Answer by Jon Marshall about 6 years 9 months ago

kennis1977 wrote:

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.

Couple of additional things -

1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful

2) 192.168.1.254 is still not an internet routable address but i'm assuming either

i) you have changed the IP address for this post

or

ii) your traffic is Natted again somewhere upstream

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 02/27/2010 - 12:18

kennis1977 wrote:

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.

Couple of additional things -

1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful

2) 192.168.1.254 is still not an internet routable address but i'm assuming either

i) you have changed the IP address for this post

or

ii) your traffic is Natted again somewhere upstream

Jon

kennis1977 Sun, 02/28/2010 - 04:58

Hi Jon,

Thanks for your reply!!

Ok...so i still need to configure NAT.. i will try that first..

and indeed the address 192.168.1.254 is a gateway that is als Natting to the outside internet (this is a Dsl modem).

Before i had just a router that was Natting also behind this modem and this was working either. so nat behind nat...

I just want to replace the router by the pix.

I give you a reply back if it's going to work... thanks

Ken

kennis1977 Sun, 02/28/2010 - 06:10

Hi Jon,

I tried the config on my pix and it works!!!! GREAT..

However i have still one question...

we also talked about icmp allowing from the outside to the inside network..

When im making a Acess-rule that permit icmp packets from the outside to the inside network it also asks for a nat role to define..(logical)

but when im insert this nat role... its not going right...can still not ping and also my connection to the outside world is gone...

Can you perhaps give me again an example on how to configure it..? that will be great....

Thanks again...

Kureli Sankar Sun, 02/28/2010 - 13:00

I am clear as to what you are trying to configure now.

When the inside to outside access works, adding icmp to be allowed on the outside acl breaks inside to outside access?

Need the output of

sh nat

sh access-group

sh access-list | i icmp

-KS

kennis1977 Sun, 02/28/2010 - 13:34

ehhm when i add a new role to permit icmp from the outside to the inside network, i cannot access the internet anymore....

but the role any any that is defined now can you just edit this one for some ports? or do i have to make a new one then..and remove the any any role?

anyway... here is my sh nat:

nat (inside) 1 172.16.250.0 255.255.255.0 0 0

sh access-group is nothing...

sh access-list | i icmp: is also nothing...

Correct Answer
Kureli Sankar Sun, 02/28/2010 - 19:06

Jon had given you the following:

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.

access-list outside-acl permit icmp any any

access-group outside-acl in int outside

Once done you can ping from the inside and get a response.  Make sure the inside is higher level security than the outside.

-KS

kennis1977 Mon, 03/01/2010 - 05:42

Ok makes sense...

Im going to try this... thanks i keep you posted...

kennis1977 Wed, 03/03/2010 - 10:19

Hi,

Great again!!! this is also working...

I think i can use the same rule with all different ports from the outside network..?

Thanks for you're help all...

kennis1977 Fri, 03/05/2010 - 10:49

Ah one more question...

Ok... so i now have a dynamic nat rule for my host on the inside.. great...

however i want also to open some ports to access from the outside (like www for example)

i found on the internet some rules how to do it:

were the x.x.x.x is my outside ip address

access-list outside_access_in permit tcp any host x.x.x.x eq 80

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

This is working also... but then its only possible to go to the internet from ip address 172.16.250.24

and all the others are blocked...

so do i always need a static nat rule when i want to open a port from the outside? or can i do it also different?

Thanks

Correct Answer
Kureli Sankar Fri, 03/05/2010 - 11:06

You cannot do this

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

pls. change that line to this

static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0  --> static pat

If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.

-KS

kennis1977 Fri, 03/05/2010 - 11:36

You're really great!!! hahahaha

Works again..... perfect!!!

Thanks for you're reply....

Actions

This Discussion