Why is this router-pix setup only partially working ?

Unanswered Question

Hello,


I am probably missing some finer point of either NAT or routing here. Here's the setup :



(Internet)---T1---(1601)---192.168.1.0/24---(pix)---172.16.1.0/24---(3com Netbuilder II router)---10.x.x.x/16 customer subnets



Here is the problem: look at the config's below, notice I have a bunch of static NAT maps to 10.x.x.x machines that are servers for the customer. There is also one map to 172.16.1.2 which is to give telent access to the netbuilder from outside.



From the 1601, you cannot ping the 172.16.1.2 address at all. You also can't ping about 5 of 10.x.x.x hosts in the static maps.



All the static maps are allowed through the PIX urestricted. From the PIX, you can ping any of those static maps fine, including the netbuilder 172.16.1.2 interface.



I chose to put all the NAT on the 1601, was this a bad move ? Why can only some of the addresses be reached from the 1601 ??


Thanks for your help - Patrick




(1601)#wr t

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname (deleted)

!

enable secret (deleted)

enable password (deleted)

!

ip subnet-zero

!

!

!

interface Ethernet0

ip address (T1 public point to point #2) 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Serial0

mtu 4500

ip address (T1 point to point public ip #2) 255.255.255.252

no ip directed-broadcast

ip nat outside

encapsulation ppp

!

ip nat pool patip (public #1) (public #1) netmask 255.255.255.240

ip nat inside source list 1 pool patip overload

ip nat inside source static 10.180.0.40 (public #2)

ip nat inside source static 10.170.0.18 (public #4)

ip nat inside source static 10.170.0.2 (public #5)

ip nat inside source static 10.170.0.27 (public #3)

ip nat inside source static 10.170.0.7 (public #7)

ip nat inside source static 10.170.0.8 (public #9)

ip nat inside source static 10.170.0.29 (public #10)

ip nat inside source static 10.170.0.251 (public # 12)

ip nat inside source static 10.170.0.252 (public #13)

ip nat inside source static 10.170.0.9 (public #14)

ip nat inside source static 10.170.0.190 (public #15)

ip nat inside source static 10.140.0.251 (public #6)

ip nat inside source static 172.16.1.2 (public #11)

ip classless

ip route 0.0.0.0 0.0.0.0 (t1 public ip point to point #1)

ip route 10.0.0.0 255.0.0.0 192.168.1.2

ip route 172.16.1.0 255.255.255.0 192.168.1.2

!

access-list 1 deny 10.170.0.190

access-list 1 deny 10.170.0.251

access-list 1 deny 10.170.0.252

access-list 1 deny 10.140.0.251

access-list 1 deny 10.180.0.40

access-list 1 deny 10.170.0.2

access-list 1 deny 10.170.0.7

access-list 1 deny 10.170.0.8

access-list 1 deny 10.170.0.9

access-list 1 deny 10.170.0.18

access-list 1 deny 10.170.0.27

access-list 1 deny 10.170.0.29

access-list 1 deny 172.16.1.2

access-list 1 permit any

!

line con 0

transport input none

line 1

line vty 0 4

password (deleted)

login

!

end

(1601)#pixfirewall(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (deleted) encrypted

passwd (deleted) encrypted

hostname pixfirewall

domain-name customer

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit ip any host 10.170.0.2

access-list acl_in permit ip any host 10.170.0.8

access-list acl_in permit ip any host 10.180.0.40

access-list acl_in permit ip any host 10.170.0.18

access-list acl_in permit ip any host 10.170.0.27

access-list acl_in permit ip any host 10.170.0.7

access-list acl_in permit ip any host 10.170.0.29

access-list acl_in permit ip any host 10.170.0.251

access-list acl_in permit ip any host 10.170.0.252

access-list acl_in permit ip any host 10.170.0.9

access-list acl_in permit ip any host 10.170.0.190

access-list acl_in permit ip any host 10.140.0.251

access-list acl_in permit ip any host 172.16.1.2

access-list acl_in permit icmp any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 10.0.0.0 255.0.0.0 172.16.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:2cd52cc75a5cc5c22240c30fea0fbd78

: end

[OK]

pixfirewall(config)#


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhussein Mon, 03/11/2002 - 11:13
User Badges:
  • Silver, 250 points or more

In the PIX, a "global" or "static" command is needed to make the inside hosts (10.x.x.x) visible outside. I'm not sure how is it possible to ping any 10.x.x.x host at all without proper global/static translation by the PIX.

Anyway, try using a static command for one host (preferrably a host that can not be pinged)e.g:


static (inside,outside) 10.170.0.190 10.170.0.190 netmask 255.255.255.255 0 0


Regards ...

yes, I follow what you are saying, what I ended up doing was taking the NAT off of the 1601 and moving it over to the PIX, with the appropriate global/static(inside,outside)maps.Everything worked fine after that. I would like to know, however, why I could ping some of the 10.x.x.x hosts from the 1601, that were mapped in the original 1601 config above, and not others ? If anyone has a definitive answer, please let me know. I would like to know for the sake of argument how it could be done if you chose to not do NAT on the PIX to private addresses behind the PIX.



Actions

This Discussion