cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2649
Views
0
Helpful
11
Replies

Pix501 nat config question

kennis1977
Level 1
Level 1

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

kennis1977 wrote:

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.

Couple of additional things -

1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful

2) 192.168.1.254 is still not an internet routable address but i'm assuming either

i) you have changed the IP address for this post

or

ii) your traffic is Natted again somewhere upstream

Jon

View solution in original post

Jon had given you the following:

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.

access-list outside-acl permit icmp any any

access-group outside-acl in int outside

Once done you can ping from the inside and get a response.  Make sure the inside is higher level security than the outside.

-KS

View solution in original post

You cannot do this

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

pls. change that line to this

static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0  --> static pat

If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.

-KS

View solution in original post

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

kennis1977 wrote:

Hi Guys,

Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..

I don't get a connection with nat to work...

I have the next situation..

outside address=192.168.1.254 /24 gateway address=192.168.1.1

inside address-172.16.250.253/24

Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first

but i read somewhere on the internet that the pix is doing nat already by default from the inside

addresses to the outside adapter.

if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1

by the access roles everything is still default,so permit any any..

Can somebody give me a hint?

Thanks

Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.

Couple of additional things -

1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful

2) 192.168.1.254 is still not an internet routable address but i'm assuming either

i) you have changed the IP address for this post

or

ii) your traffic is Natted again somewhere upstream

Jon

Hi Jon,

Thanks for your reply!!

Ok...so i still need to configure NAT.. i will try that first..

and indeed the address 192.168.1.254 is a gateway that is als Natting to the outside internet (this is a Dsl modem).

Before i had just a router that was Natting also behind this modem and this was working either. so nat behind nat...

I just want to replace the router by the pix.

I give you a reply back if it's going to work... thanks

Ken

Hi Jon,

I tried the config on my pix and it works!!!! GREAT..

However i have still one question...

we also talked about icmp allowing from the outside to the inside network..

When im making a Acess-rule that permit icmp packets from the outside to the inside network it also asks for a nat role to define..(logical)

but when im insert this nat role... its not going right...can still not ping and also my connection to the outside world is gone...

Can you perhaps give me again an example on how to configure it..? that will be great....

Thanks again...

I am clear as to what you are trying to configure now.

When the inside to outside access works, adding icmp to be allowed on the outside acl breaks inside to outside access?

Need the output of

sh nat

sh access-group

sh access-list | i icmp

-KS

ehhm when i add a new role to permit icmp from the outside to the inside network, i cannot access the internet anymore....

but the role any any that is defined now can you just edit this one for some ports? or do i have to make a new one then..and remove the any any role?

anyway... here is my sh nat:

nat (inside) 1 172.16.250.0 255.255.255.0 0 0

sh access-group is nothing...

sh access-list | i icmp: is also nothing...

Jon had given you the following:

nat (inside) 1 172.16.250.0 255.255.255.0

global (outside) 1 interface

Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.

access-list outside-acl permit icmp any any

access-group outside-acl in int outside

Once done you can ping from the inside and get a response.  Make sure the inside is higher level security than the outside.

-KS

Ok makes sense...

Im going to try this... thanks i keep you posted...

Hi,

Great again!!! this is also working...

I think i can use the same rule with all different ports from the outside network..?

Thanks for you're help all...

Ah one more question...

Ok... so i now have a dynamic nat rule for my host on the inside.. great...

however i want also to open some ports to access from the outside (like www for example)

i found on the internet some rules how to do it:

were the x.x.x.x is my outside ip address

access-list outside_access_in permit tcp any host x.x.x.x eq 80

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

This is working also... but then its only possible to go to the internet from ip address 172.16.250.24

and all the others are blocked...

so do i always need a static nat rule when i want to open a port from the outside? or can i do it also different?

Thanks

You cannot do this

static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0

pls. change that line to this

static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0  --> static pat

If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.

-KS

You're really great!!! hahahaha

Works again..... perfect!!!

Thanks for you're reply....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: