08-09-2014 11:37 PM - edited 03-11-2019 09:36 PM
Dear All,
Router facing Internet >>>>>>>>>Switch>>>>>> (Outside Interface) CISCO PIX 525 (Inside Interface)>>>>>>Core Access Switch
Facing using to access a URL from PIX firewall, nating didnt work at all, even i am unable to traceroute the ip of the URL from firewall console itself.
But URL can be accessed by connecting network directly to the switch using public ip address on the switch interface.
I have also cleared xlate and refresh all the rules.
Can someone advise (expert advise is required), i'll share the conf if required.
Regards,
Waqas
Solved! Go to Solution.
08-14-2014 05:12 AM
08-10-2014 05:00 AM
Hi Waqas,
Either problem should be with access-list or NAT..... Could you please share the configuration of yours so that i can try to help you out....
Regards
Karthik
08-10-2014 06:13 AM
08-10-2014 06:41 AM
Hi Waqas,
You have the right ACL set for the destination.
access-list acl_inside extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0 log
but if you look at the NAT ACL for no-nat, you have included the subnet of 208.109.0.0.... give the below mentioned command and check.... internet should go...
no access-list inside_nat0_outbound extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0
so any traffic from 10.1.40.0 will be exempted from NATing.... so you wont get the internet access....
so remove the no-nat statement as i said above and try...
Regards
Karthik
08-10-2014 07:19 AM
Hi,
Sure i did this.....
and i have only the following in place:
access-list acl_inside extended permit ip 10.1.40.0 255.255.254.0 208.109.0.0 255.255.0.0 log
but still i am unable to reach 208.109.106.204 from inside network.... moreover this was working fine earlier without acl but just 4 days ago it stops and i tried a lot using acl rules and exemptions to allow the access..... PIX Appliance just wont ping this subnet and also wont allow to pass through.
Any other work around ?
Cheers,
Waqas
08-10-2014 10:01 AM
Hi,
Is that happens only to that specific site? or for all internet sites?
can you try to ping 4.2.2.2 or someother generic public ip like google/yahoo/cisco.com ip's?
Regards
Karthik
08-10-2014 10:25 PM
hi
We are able to access everything outside, It is only an issue with this site and subnet
208.109.0.0/16
Cheers,
Waqas
08-10-2014 10:35 PM
Hi Waqas,
I doubt whether they have blocked the specific ip address somewhere in the path....
we can try one more thing..... instead of using interface as the pat.... can you try and use someother ip address in the public stack...
85.194.97.34 is your interface ip and .33 is your gateway.... can you make the pat with 87.194.97.35 for your PAT? if available.
no global (outside) 1 interface global (outside) 1 87.194.97.35 nat (inside) 1 10.1.40.0 255.255.254.0
also Make sure that you have the return route in internet router pointing back to firewall outside interface....
ip route 87.194.97.32 255.255.255.240 87.194.97.34 in your internet router...
Regards
Karthik
08-10-2014 10:51 PM
Hi Karthik,
Similar thoughts, sure i will try this and let you know.... yes my public stack is free, currently i am on a remote location, i will do this conf and check if its working.
Appreciate your support.
Regards,
Waqas
08-10-2014 10:53 PM
Hi Waqas,
Yes. Please try in that way.... you said you are able to access that from internet switch by assigning the public ip directly right?... use that same ip in PAT and try....
Regards
Karthik
08-14-2014 04:23 AM
Hi Karthik,
I have changed the setting as we have planned but no luck..
Please also see below xlate -- PAT Flags...
global (outside) 1 87.194.97.36
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.40.0 255.255.254.0
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 85.194.97.33 1
show xlate detail
2798 in use, 2798 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
UDP PAT from inside:10.1.41.2/50463 to outside:87.194.97.36/55437 flags ri
UDP PAT from inside:10.1.41.2/54118 to outside:87.194.97.36/18430 flags ri
UDP PAT from inside:10.1.41.2/64373 to outside:87.194.97.36/56176 flags ri
TCP PAT from inside:10.1.41.2/56688 to outside:87.194.97.36/16751 flags ri
UDP PAT from inside:10.1.41.2/63329 to outside:87.194.97.36/19333 flags ri
UDP PAT from inside:10.1.41.2/58098 to outside:87.194.97.36/49344 flags ri
UDP PAT from inside:10.1.41.2/53935 to outside:87.194.97.36/51044 flags ri
UDP PAT from inside:10.1.41.2/59574 to outside:87.194.97.36/11391 flags ri
UDP PAT from inside:10.1.41.2/57735 to outside:87.194.97.36/24946 flags ri
TCP PAT from inside:10.1.41.27/63618 to outside:87.194.97.36/15983 flags ri
TCP PAT from inside:10.1.41.79/2184 to outside:87.194.97.36/16503 flags ri
UDP PAT from inside:10.1.41.111/58608 to outside:87.194.97.36/17021 flags ri
UDP PAT from inside:10.1.41.111/64360 to outside:87.194.97.36/23578 flags ri
08-14-2014 04:36 AM
Inside we have two networks accessing outside world..
10.1.40.0 - 255.255.254.0 - All Servers using this network
10.1.41.0 - 255.255.254.0 - All Client Computers using this network
08-14-2014 04:55 AM
Hi Waqas,
It is normal, in case of dynamic pat.....
sh xlate detail output of yours has
UDP PAT from inside:10.1.41.2/50463 to outside:87.194.97.36/55437 flags ri
at the same time if you check the existing connection in conn table..
sh conn | in 50463
<you can see the established connection>
Can you get me a remote access to that firewall so that i can check that..... it seems to be okay.....
also did you check the routes on the internet router?
Regards
Karthik
08-14-2014 05:07 AM
Hi Karthik,
Can send me an email on: waqas_buttg@hotmail.com
I will reply you with the access details.
Regards,
Waqas
08-14-2014 05:12 AM
Hi,
Sent email - from nkartheekeyan@hotmail.com
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: