02-27-2010 10:22 AM - edited 03-11-2019 10:15 AM
Hi Guys,
Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..
I don't get a connection with nat to work...
I have the next situation..
outside address=192.168.1.254 /24 gateway address=192.168.1.1
inside address-172.16.250.253/24
Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first
but i read somewhere on the internet that the pix is doing nat already by default from the inside
addresses to the outside adapter.
if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1
by the access roles everything is still default,so permit any any..
Can somebody give me a hint?
Thanks
Solved! Go to Solution.
02-27-2010 12:18 PM
kennis1977 wrote:
Hi Guys,
Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..
I don't get a connection with nat to work...
I have the next situation..
outside address=192.168.1.254 /24 gateway address=192.168.1.1
inside address-172.16.250.253/24
Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first
but i read somewhere on the internet that the pix is doing nat already by default from the inside
addresses to the outside adapter.
if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1
by the access roles everything is still default,so permit any any..
Can somebody give me a hint?
Thanks
Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -
nat (inside) 1 172.16.250.0 255.255.255.0
global (outside) 1 interface
this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.
Couple of additional things -
1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful
2) 192.168.1.254 is still not an internet routable address but i'm assuming either
i) you have changed the IP address for this post
or
ii) your traffic is Natted again somewhere upstream
Jon
02-28-2010 07:06 PM
Jon had given you the following:
nat (inside) 1 172.16.250.0 255.255.255.0
global (outside) 1 interface
Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.
access-list outside-acl permit icmp any any
access-group outside-acl in int outside
Once done you can ping from the inside and get a response. Make sure the inside is higher level security than the outside.
-KS
03-05-2010 11:06 AM
You cannot do this
static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0
pls. change that line to this
static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0 --> static pat
If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.
-KS
02-27-2010 12:18 PM
kennis1977 wrote:
Hi Guys,
Im new in the pix world,now i just bought a pix501 firewall.. great thing..however..
I don't get a connection with nat to work...
I have the next situation..
outside address=192.168.1.254 /24 gateway address=192.168.1.1
inside address-172.16.250.253/24
Now i use the setup wizard to configure the pix... i want to add a dynamic nat role first
but i read somewhere on the internet that the pix is doing nat already by default from the inside
addresses to the outside adapter.
if this is true.. why can't i get any connection the the internet? i can also not ping 192.168.1.1
by the access roles everything is still default,so permit any any..
Can somebody give me a hint?
Thanks
Pix by default will allow traffic from the inside to the outside but it won't automatically do not NAT. You need to add this -
nat (inside) 1 172.16.250.0 255.255.255.0
global (outside) 1 interface
this will nat all source addresses of 172.16.250.x to the outside interface address ie. 192.168.1.254.
Couple of additional things -
1) you will need to allow ICMP ie. ping back in on the outside interface because ICMP is not stateful
2) 192.168.1.254 is still not an internet routable address but i'm assuming either
i) you have changed the IP address for this post
or
ii) your traffic is Natted again somewhere upstream
Jon
02-28-2010 04:58 AM
Hi Jon,
Thanks for your reply!!
Ok...so i still need to configure NAT.. i will try that first..
and indeed the address 192.168.1.254 is a gateway that is als Natting to the outside internet (this is a Dsl modem).
Before i had just a router that was Natting also behind this modem and this was working either. so nat behind nat...
I just want to replace the router by the pix.
I give you a reply back if it's going to work... thanks
Ken
02-28-2010 06:10 AM
Hi Jon,
I tried the config on my pix and it works!!!! GREAT..
However i have still one question...
we also talked about icmp allowing from the outside to the inside network..
When im making a Acess-rule that permit icmp packets from the outside to the inside network it also asks for a nat role to define..(logical)
but when im insert this nat role... its not going right...can still not ping and also my connection to the outside world is gone...
Can you perhaps give me again an example on how to configure it..? that will be great....
Thanks again...
02-28-2010 01:00 PM
I am clear as to what you are trying to configure now.
When the inside to outside access works, adding icmp to be allowed on the outside acl breaks inside to outside access?
Need the output of
sh nat
sh access-group
sh access-list | i icmp
-KS
02-28-2010 01:34 PM
ehhm when i add a new role to permit icmp from the outside to the inside network, i cannot access the internet anymore....
but the role any any that is defined now can you just edit this one for some ports? or do i have to make a new one then..and remove the any any role?
anyway... here is my sh nat:
nat (inside) 1 172.16.250.0 255.255.255.0 0 0
sh access-group is nothing...
sh access-list | i icmp: is also nothing...
02-28-2010 07:06 PM
Jon had given you the following:
nat (inside) 1 172.16.250.0 255.255.255.0
global (outside) 1 interface
Now if you want to allow icmp then you need an access-list line and then an access-g line to apply the access-list to the outside interface.
access-list outside-acl permit icmp any any
access-group outside-acl in int outside
Once done you can ping from the inside and get a response. Make sure the inside is higher level security than the outside.
-KS
03-01-2010 05:42 AM
Ok makes sense...
Im going to try this... thanks i keep you posted...
03-03-2010 10:19 AM
Hi,
Great again!!! this is also working...
I think i can use the same rule with all different ports from the outside network..?
Thanks for you're help all...
03-05-2010 10:49 AM
Ah one more question...
Ok... so i now have a dynamic nat rule for my host on the inside.. great...
however i want also to open some ports to access from the outside (like www for example)
i found on the internet some rules how to do it:
were the x.x.x.x is my outside ip address
access-list outside_access_in permit tcp any host x.x.x.x eq 80
static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0
This is working also... but then its only possible to go to the internet from ip address 172.16.250.24
and all the others are blocked...
so do i always need a static nat rule when i want to open a port from the outside? or can i do it also different?
Thanks
03-05-2010 11:06 AM
You cannot do this
static (inside,outside) x.x.x.x 172.16.250.24 netmask 255.255.255.255 0 0
pls. change that line to this
static (inside,outside) tcp interface 80 172.16.250.24 80 netmask 255.255.255.255 0 0 --> static pat
If you use the IP address of the outside interface and do a 1-1 NAT instead of PAT, you will see what you are seeing.
-KS
03-05-2010 11:36 AM
You're really great!!! hahahaha
Works again..... perfect!!!
Thanks for you're reply....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: