Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 501 NAT

I'm having an issue where I can sit on the PIX and ping everything on the internal network. I can ping everything I've allowed on the external network as well. However, I can't get traffic across the NAT to ping. Here's the config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname another-fw1

access-list outside_access_in permit ip host NAMED-SOMETHING any

access-list outside_access_in permit icmp object-group icmp-sources any

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 9.9.9.9 255.255.255.224

ip address inside 172.16.41.100 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 9.9.9.10 172.16.42.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 9.9.9.8 1

route inside 0.0.0.0 0.0.0.0 172.16.41.200

Lame Layout Example

ROUTER -> PIX -> SWITCH -> DEVICES

If I changed the NAT'd devices gateway to the PIX, then it works fine. BTW: The gateway isn't mine and I'm sure there isn't any type of route pointing back to me. I'm typically coming in from an external IP and I guess that my traffic is getting pushed out another direction once it hits their network.

So, would Source NAT work? Never used it.. So, I have no idea.

3 REPLIES
Community Member

Re: PIX 501 NAT

Hi Mike,

The NAT configuration you have done is okey. But the routing part seems to be giving you trouble.

You have configured two default routes:

route outside 0.0.0.0 0.0.0.0 9.9.8.1

route inside 0.0.0.0 0.0.0.0 172.16.41.200

You are getting problem due to second default route pointed to 172.16.41.200

Please make the second route more specific(don't used default route) e.g if you have 172.16.20.0 network in inside section then use

route inside 172.16.20.0 255.255.255.0 172.16.41.200

Also see the translation and connection table

sh xlate

sh conn

Regards,

Roshan

Community Member

Re: PIX 501 NAT

Thanks for the reply!!!

Sadly, I've tried that.. I've even removed the old inside route, saved the config, and rebooted the PIX.

It still produces this:

[ERR]route inside 172.16.41.0 255.255.255.0 172.16.41.200 1

Route already exists

Community Member

Re: PIX 501 NAT

Without route to internal router

outside 0.0.0.0 0.0.0.0 12.52.0.33 1 OTHER static (What I added)

outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static (Shows by default since it's the interface)

inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static (Shows by default since it's the interface)

When I ping I get:

No route to 172.16.42.1 from "Where I'm at" on the PIX debug log...

When I add the 172.16.x.x route

outside 0.0.0.0 0.0.0.0 9.9.9.8 1 OTHER static

outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static

inside 172.16.0.0 255.255.0.0 172.16.41.200 1 OTHER static

inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static

When I ping now... I don't get the "No Route" but I don't get replies either.

Reminder, I can ping everything on the internal and external network from the PIX. However, Outisde in and Inside out doesn't work even though it's allowed...

150
Views
0
Helpful
3
Replies
CreatePlease to create content