Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix translation

Ive got a PIX between two internal networks. the 172.16.0.0 is on the inside. 10.0.0.0 is on the outside. I need to manage several servers on the inside from a device on the outside. There will be tcp and udp traffic initiated from the 10.0.0.0 network and udp traffic initiated from the 172.16.0.0.

the acl's are using groups but ive simplified them for the example

so, ive got an acl on the outside:

access-list 101 permit tcp host 10.10.10.10 host 172.16.1.1 eq 443

 

a translation to translate to a routable address on the inside:

static (outside,inside) 172.16.1.250 10.10.10.10 netmask 255.255.255.255

 

routing:

route outside 0.0.0.0 0.0.0.0 'next hop'

route inside 172.16.0.0 255.255.0.0 'next hop'

 

im then trying to translate to the server address on the return for traffic initiated from the inside

static (inside,outside) 10.10.10.10 172.16.1.250 netmask 255.255.255.255

 

i havnt got an acl for return traffic yet. I can see hits on a cap on the outside but nothing on the inside suggesting its not being translated.

Any help would be appreciated.

 

cheers

 

 

6 REPLIES
Hall of Fame Super Blue

MichaelIt's not clear what

Michael

It's not clear what you are trying to do.

So -

static (outside,inside) 172.16.1.250 10.10.10.10 netmask 255.255.255.255

is to translate 10.10.10.10 IP address to 172.16.1.250 ?

Is this because the server 172.16.1.1 has a default gateway that isn't the firewall ? If the default gateway is the firewall why do you need to do this ?

You then say -

im then trying to translate to the server address on the return for traffic initiated from the inside

static (inside,outside) 10.10.10.10 172.16.1.250 netmask 255.255.255.255

but there is no mention of the server IP in that static statement. Also if it was the server you can't translate it back to the client IP 10.10.10.10. 

Perhaps it would help if you could clarify exactly what you are trying to do. If the default gateway for the server is the firewall then do you really need to translate the 10.x.x.x IPs ?

Jon

New Member

Hi JonThanks for the reply

Hi Jon

Thanks for the reply.

What im trying to achieve is to be able to manage several vm servers on the 172.16.0.0/16 network from a managment server on the 10.0.0.0/8 network. Both networks have many subnets\vlans. The gateways are not on the firewall.

Sites are split into 172.16.X.0/24 networks. The vlans have acls applied but the 172.16.1.0/24 subnet is used for device managment and is allready permitted everywhere.

so as an example lets say I have managment server 10.10.10.10, Server A 172.16.20.5 and server B 172.16.30.5

What I thought I could do is translate the 10.10.10.10 to 172.16.1.250 so it has access to server A and B on the 172.16.0.0 network without altering any acls on the vlans.

When I say return traffic, I am expecting udp heatbeats from server A and server B to the management server.

The firewall is a PIX-515E

Thanks again.

Hall of Fame Super Blue

Okay, so your first static is

Okay, so your first static is to translate the 10.10.10.10 IP address to 172.16.1.250 which is fine.

What you have configured with your statics is -

1) translate 10.10.10.10 to 172.16.1.250 as it goes from the outside to the inside ie. you are translating the source IP address

2) your second static then says translate the IP address 172.16.1.250 to 10.10.10.10 as it goes to the outside. But that will never match because 172.16.1.250 is not the source IP, it is the destination IP if traffic is returning from your server to the outside because of your first static.

So what IP address(es) so you want your 172.16.x.x servers to be translated to when they go to the outside or are you happy to just have them go outside with their original IPs ?

Jon

New Member

I understand what you are

I understand what you are saying in point 2 but server A and server B are configured to send heartbeat traffic to 172.16.1.250 which I thought would hit the firewall and be translated back to the 10.10.10.10 address.

So, from what you are saying, I now think this wont work because theres no route to 172.16.1.250 via the firewall.

Ill have to target 10.10.10.10 for heartbeat traffic and permit the 172.16. addresses through the acl.

 

One thing I dont understand is I can see hits on a capture on the outside interface from 10.10.10.10 to 172.16.20.5 but I dont see any hits on the inside capture even though ive got 172.16.1.250 in the capture acl.

capture acl:

access-list cap permit ip host 10.10.10.10 any
access-list cap permit ip any host 10.10.10.10
access-list cap permit ip any host 172.16.1.250
access-list cap permit ip host 172.16.1.250 any

capture out access-list cap interface outside
capture ins access-list cap interface inside

Hall of Fame Super Blue

I understand what you are

I understand what you are saying in point 2 but server A and server B are configured to send heartbeat traffic to 172.16.1.250 which I thought would hit the firewall and be translated back to the 10.10.10.10 address.

Then you don't need the second static command. It would mean your server 172.16.1.x addresses would not be translated but if the default gateway of the 10.10.10.x devices is the outside interface of your firewall then it should work fine.

So, from what you are saying, I now think this wont work because theres no route to 172.16.1.250 via the firewall.

Not sure i follow. If your internal server is on a different subnet then it will send traffic to it's default gateway and assuming the L3 device has a directly connected interface in the 172.16.1.250 subnet it will then send an arp request for that IP. The firewall should respond (as long as you have not disabled proxy-arp on the inside interface) because you have a static statement setup for it ie. your first static.

Jon

 

New Member

Thanks JonIve removed the

Thanks Jon

Ive removed the return static and ammended acls and its working.

Thanks for the help yes

39
Views
5
Helpful
6
Replies