Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT help on Pix

Hello,

I am using a PIX on our test network and I'm trying to get devices on interface "DMZ4_Wireless_PDA" (Ip range 172.25.1.x/24) to communicate with x.x.156.78 which NAT's to a server on the inside interface on 192.168.200.200.  Attached is my config but I can't get it to work.  The 172.25.1.x range needs to communicate on various ports especially ICMP.

Thanks in advance for your time

  • Firewalling
8 REPLIES
Cisco Employee

Re: NAT help on Pix

There seems to be overlapped with ip address x.x.156.78 on the following:


global (inside) 1 x.x.156.78

nat (outside) 1 192.168.201.0 255.255.255.0

static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255


Do you have a need for the nat/global pair?


Also, do you need to ping the public ip address (x.x.156.78) instead of the private ip address (192.168.200.200)? or it doesn't really matter which ip address you ping as long as it's testing the actual server connectivity.

To ping, you would also need to configure inspection for icmp:

policy-map global_policy

  class inspection_default

     inspect icmp

New Member

Re: NAT help on Pix

Hi,

My Pix/ASA knowledge is a bit rusty, but all I need is all the devices on 172.25.1.x/24 to contact x.x.156.78 which is a server on the inside (192.168.200.200).  I'm not sure what ot why the global statement is there, what does that do?

x.x156.78 is a public IP, but for the scenario it is a server on the inside and yes I need to ping x.x156.78.

I hope that's a little clearer as my explanation wasn't the best.

Thanks

Cisco Employee

Re: NAT help on Pix

As far as the NAT statement is concern, you only need the following line:

static (inside,DMZ4_Wireless_PDA) x.x.156.78 192.168.200.200 netmask 255.255.255.255

The nat/global pair as far as I understand does not serve any purpose, and it would be best to remove them as it overlaps with the static NAT statement above:

no global (inside) 1 x.x.156.78

no nat (outside) 1 192.168.201.0 255.255.255.0

Please "clear xlate" after the changes, and also add "inspect icmp" as advised earlier.

Cisco Employee

Re: NAT help on Pix

And also you need to enable proxyarp for DMZ4_Wireless_PDA interface:

no sysopt noproxyarp DMZ4_Wireless_PDA

New Member

Re: NAT help on Pix

I believe I have changed the config to match what you said, but I still can't connect to x.x.156.78.  I have configured my laptop to 172.5.1.10/24 and added me to the DMZ4_Wireless_PDA interface and tried to ping x.x.156.78 (192.168.200.200) and it fails.

I logged on the ASDM and did an packet trace from 172.25.1.10 to x.x.156.78 using echo-reply and it failed on the NAT-Exempt.

Any ideas what I might be doing wrong?  Let me know if you need a fresh config.

Thanks

Cisco Employee

Re: NAT help on Pix

Yes, packet tracer is right.

NAT exemption takes precedence over Static NAT, hence it's failing the static NAT.

The following NAT exemption configuration:

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.201.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.25.1.0 255.255.255.0

For testing purposes, I would take out that red line of ACL, "clear xlate", and test it. This should work now.

Then you can configure the following ACL instead to bypass 192.168.200.200 from being exempted:

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.128 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.128 255.255.255.192 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.192 255.255.255.248 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.201 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.202 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.200.203 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.204 255.255.255.252 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.208 255.255.255.240 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.224 255.255.255.224 172.25.1.0 255.255.255.0

New Member

Re: NAT help on Pix

Hello,

Would a fresh config help at all?  I can't think why I would need a NAT exempt rule in place can you?

Re: NAT help on Pix

Hi Andy ,

By default PIX need to NAT flows from higher security level ( inside 100 )  to lower security level ( DMZ4_Wireless_PDA 20 ).

So the solutions are :

1. configure nat of the inside host to DMZ4 segment

static (inside,DMZ4_Wireless_PDA) 172.25.1.200 192.168.200.200


Allow on the access-list :

access-list DMZ4_Wireless_PDA_access_in permit icmp 172.25.1.0 255.255.255.0 host 172.25.1.200

2. disable this behaviod

no nat-control

Then your configured access-list will work:

access-list DMZ4_Wireless_PDA_access_in extended permit udp 172.25.1.0 255.255.255.0 host 192.168.200.2 eq domain

Dan

299
Views
0
Helpful
8
Replies