I need to be able to get traffic from the inside interface to route out through the 172.16.15.0 network to a further secure router. Obviously I need to allow flow back from the router in the 172.16.15.0 network into the inside interface.
Currently I am unable to ping any device including the 172.16.15.1 interface of the network in the pix.
I do not want any NAT to take place between any of the interfaces.
My outside interface does however seem to accept traffic from the legacy1 network fine.
Any suggestions or examples would be very appreciated as I am going round and round in circles with this one!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 legacy1 security1
nameif ethernet3 imaging security95
nameif ethernet4 Encryption security1
nameif ethernet5 intf5 security10
enable password xxx
access-list inside_access_in permit ip any any
access-list Encryption_inbound_nat0_acl permit ip any any
access-list legacy1_outbound_nat0_acl permit ip any any
access-list outside_inbound_nat0_acl permit ip any any
access-list outside_access_in permit ip any any
access-list imaging_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any any
access-list Encryption_access_in permit ip any any
Unfortunately pix 6.3 doesn't have any good way to turn off nat entirely without entering a couple of commands: there are a couple of ways to do this, but I would do the following
1) Get rid of all your nat and global statements
2) Enter the following commands:
access-list al_no_nat permit ip any any
nat (inside) 0 access-list al_no_nat
nat (legacy1) 0 access-list al_no_nat
nat (imaging) 0 access-list al_no_nat
nat (outside) 0 access-list al_no_nat
Though technically you don't really need the last one, as the nat requirements are from high to low and theres nothing lower than 0
3) do a 'clear xlate' to wipe out any existing xlates that may have been created
Now this is where you need to understand a little bit about security on the pix - the pix will not allow you to tranverse the pix to ping another interface: meaning you can't ping the outside interface from and inside ip address (and vice-versa). What you need to do is have an IP out on the Encryption interface that you can ping (possibly a router) and on that device have it route the 192.168 network back to the 172.16.15.1 interface on your firewall. Then an inside host should ping that and be able to get a reply right (assuming the routing is in place to get that network back to the firewall)
Your permit ip any any ACLs should allow all the traffic return that needs to for connectivity to work.
Other than that, the config looks good, though nothing is being routed to the Encryption interface as of yet (your outside network has the default route).
Please rate this message if it helped solve some or all of your issue.
Thank you so very much. Excellent answer. The only change I made due to others utilising the pdm was to create individual access lists for the interfaces as the pdm does not allow you to utilise it more than once.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...