Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat in Pix 515

Hello,

I'm running a pix 515E for management purposes. I have several nets, one outside, and three inside. I've set up nat between them, since my inside0 has real ip addresses, and 1 & 2 has private addresses. This is working brilliantly.

My problem is a third private net.

It's located behind a 3750. I can reach it (172.18.18.0 -> 172.18.18.10 - loopback interfaces) from the 3750, (their directly connected in some of the interfaces) but not from the rest of the units (e.g. my supervisor server). I'm thinking of reaching these via nat in the pix. But no matter what I try, I just can't seem to reach the 172... addresses from my 90.x.x.x network. The mng vlan is terminated on a vlan interface in the 3750 router.

Any pointers would do me great;=)

\\mark

4 REPLIES

Re: Nat in Pix 515

Mark,

Do you have static routes in the PIX for the remote net poing to your internal default gateway?

someting like:-

Internal default Layer 3 router - 172.16.1.1

IP Subnet behind the 3750 - 172.18.18.0

PIX config:-

route inside 172.18.18.0 255.255.255.0 172.16.1.1

HTH.

New Member

Re: Nat in Pix 515

Hi,

Thanks for reply. Sorry for answering late, I'was taking a couple of days off;=)

Here's my current config regarding the matter:

interface Ethernet1

nameif mng_inside

security-level 100

ip address 90.x.x.1 255.255.255.192

global (mng_outside) 1 interface

static (mng_inside,RadioMan) 172.16.18.0 90.x.x.0 netmask 255.255.255.192 // THis line works

static (mng_inside,AlliedMan) 172.16.17.0 90.x.x.0 netmask 255.255.255.192 //This line works

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0 //This line errors

access-group outside_access_in_1 in interface mng_outside

route mng_outside 0.0.0.0 0.0.0.0 128.x.x.1 10

route mng_outside 172.16.16.16 255.255.255.255 128.x.x.1 9

route mng_inside 172.16.16.17 255.255.255.255 172.16.16.17 1

route mng_inside 172.18.18.0 255.255.255.0 90.x.x.1 1

During a packet trace, I get this error:

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0 match ip mng_inside 172.18.18.0 255.255.255.0 mng_inside any static translation to 90.x.x.0 translate_hits = 0, untranslate_hits = 38

I've also tried the following line instead:

static (mng_inside,mng_inside) 172.18.18.0 90.x.x.0 netmask 255.255.255.192

This do not result in a packet trace error - the packet tracer gently confirms that the packet is allowed.

What I'm thinking - since the 172.18.18.0 network is behind the 90.x.x.12 address, maybe my route in the pix should be route inside 17.28.18.0 255.255.255.192 90.x.x.12 ?

*trying*

Re: Nat in Pix 515

The lines:-

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0

and

static (mng_inside,mng_inside) 90.x.x.0 172.18.18.0 netmask 255.255.255.0

Will just not work - what exactly are you trying to do?

New Member

Re: Nat in Pix 515

hi, no ingles solo español, check security level the interface.

Bye

Ruben.

158
Views
0
Helpful
4
Replies
CreatePlease to create content