PIX525 - Policy NAT, problem with two outside interfaces

anton_lva · ‎11-28-2006

Hi all!

I have PIX with two virtual outside, inside and dmz interfaces.

Outside 1: outside-205 - 195.1.1.10/24

Outside 2: outside-500 - 220.2.2.20/24

inside - 192.168.3.0/24

dmz - 192.168.4.0/24

My task is to translate inside hosts to 195.1.1.10 and dmz hosts - to 220.2.2.20 (using PAT).

Inside hosts are translated correctly, but dmz translation fails with error

PIX-3-305006: portmap translation creation failed for icmp src dmz:192.168.4.x dst outside-205:x.x.x.x (type 8, code 0)

Here is my configuration:

=== 8< ===

PIX Version 7.2(2)

!

interface Ethernet0.10

vlan 205

nameif outside-205

security-level 0

ip address 195.1.1.10 255.255.255.248

!

interface Ethernet0.500

vlan 500

nameif outside-500

security-level 0

ip address 220.2.2.20 255.255.255.248

!

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.20

vlan 20

nameif inside

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet1.30

vlan 30

nameif dmz

security-level 50

ip address 192.168.4.254 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

access-list INSIDE-TO-NAT extended permit ip 192.168.3.0 255.255.255.0 any

access-list DMZ-TO-NAT extended permit ip 192.168.4.0 255.255.255.0 any

!

nat-control

global (outside-205) 1 interface

global (outside-500) 2 interface

nat (inside) 1 access-list INSIDE-TO-NAT

nat (dmz) 2 access-list DMZ-TO-NAT

!

route outside-205 0.0.0.0 0.0.0.0 195.1.1.1 1

route outside-500 0.0.0.0 0.0.0.0 220.2.2.2 2

=== 8< ===

What am I doing wrong?

Thanks!

Fernando_Meza · ‎11-28-2006

Hi .. your configuration is OK the problem is caused because any packets to the Internet are routed by interface outside-205 .. Inside hosts go out OK because there is a nat-global pair for this access applied to the outside-205 interface, however the hosts on the dmz don't have a global applied to the outside-205 interface only to the outside-500 interface which will only be used when the outside-205 is down. The same issue will happened with the inside hosts when outside-500 is up and outside-205 is down

you could add as below to get this working

global (outside-205) 2

I hope it helps .. please rate it if it does

anton_lva · ‎11-28-2006

Thanks, Fernando, I’ve added

"global (outside-205) 2 220.2.2.2"

to my configuration, and it really helped to get rid of message "portmap translation failed".

But... The problem still exists.

For example, when I try to connect to some external www-server from the host in dmz, I have the next error:

PIX-7-710005: TCP request discarded from x.x.x.x/80 to outside-500:220.2.2.2/1035

How I can understand, PIX doesn't have a valid translation entry for interface outside-500 (but does for outside-205?) and doesn't expect reply from the remote www-server?

Here is a part of my translations table by "show xlate detail":

TCP PAT from dmz:192.168.4.x/32990 to outside-205(DMZ-TO-NAT):220.2.2.2/1035 flags ri

Do I need to add some static entries or additional access-lists?

Thanks in advance!

anton_lva · ‎11-29-2006

Hmm... The problem still exists.

I've tried everything, but it doesn't help!

Someone, please, help me!

p.schmidt · ‎11-14-2008

do u solved it already? ive got a similar problem.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25a46