02-14-2010 06:40 AM - edited 03-11-2019 10:09 AM
I didnt really know how to describe the subject, so here goes.
Using a 6513 to originate SSH connection to a 6509 through a Pix 535. that is what I'm attempting to do.
On Pix, 3 interfaces, outside sec level 0 192.168.15.11 /27, inside sec level 100, 192.168.15.33 /24, and a 3rd interface to be used for "mgmt" sec level 10, 10.10.10.1 /24.
On 6509, 2 physical interfaces 192.168.15.35 /24 and 10.10.10.2 /24.
from the 6513, I can ping to the 6509, thorugh the pix to both destinations.
However, from the 6513 I can only ssh to the 192.168.15.36 address.
I have noted, the following when pinging, using the sho conn on the pix
ping to 192.168.15.35
ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608
ICMP outside 192.168.15.10:152 Inside 192.168.15.35:0, idle 0:00:00, bytes 67608
ping to 10.10.10.2
ICMP outside 192.168.15.10:153 Inside 10.10.10.2:0, idle 0:00:00, bytes 42336
ICMP outside 192.168.15.10:153 Jump_Mgmt 10.10.10.2:0, idle 0:00:00, bytes 42408
It appears the return traffic is coming back from the 6509 via the default route 0.0.0.0 0.0.0.0 192.168.15.33 RATHER than the connected route between the 2 10.10.10.0 /24 interfaces. I see a TCP deny on the inside interface coming from the 6509 (10.10.10.2) which seems would make sense since the traffic didnt originate through the inside interface enroute to the 6509...
i'm not sure how to over come this...
any help would be appreciated...
bruce
Solved! Go to Solution.
02-14-2010 01:42 PM
bruce.summers wrote:
understood...but,I thought we had summized that global nat would apply to all traffic...dont want to do that...
Not if you use policy NAT ie. you use an access-list to define when to NAT eg.
access-list PNAT permit host 192.168.x.x host 10.10.10.2
nat (outside) 1 access-list PNAT outside
global (mgmt) 1 interface
note the "outside" after the PNAT. That is the only thing i'm not sure about ie. whether you can have policy NAT and use the outside keyword as well.
So i guess you should be careful with either way
Jon
02-14-2010 01:46 PM
roger..
thanks for your help on this...i'll give it a try and see if it works...
02-14-2010 01:58 PM
let me make sure i got this correct.
create an access list PNAT (access-list PNAT permit host 192.168.15.10 host 10.10.10.2
nat (outside) 1 access-list PNAT outside
global (mgmt) 1 interface
what is actually natting the 192 to the 10.10??? is it that PNAT access list?
02-14-2010 03:16 PM
bruce.summers wrote:
let me make sure i got this correct.
create an access list PNAT (access-list PNAT permit host 192.168.15.10 host 10.10.10.2
nat (outside) 1 access-list PNAT outside
global (mgmt) 1 interface
what is actually natting the 192 to the 10.10??? is it that PNAT access list?
Bruce
The access-list simply defines which traffic to NAT. So in this case when host 192.168.15.10 sends a packet to 10.10.10.2 192.168.5.10 will get natted to IP address assigned to the mgmt interface. To the 6509 the packet has a src address of 10.10.10.1 so it know to send it back to the pix management interface.
Jon
02-14-2010 03:20 PM
ah...thats right...my bad...thanks
02-14-2010 03:37 PM
no IP required in the access-list
ie. access-list PNATline 1 ext permit IP h 192.168.15.10 h 10.10.10.2
???
02-14-2010 03:41 PM
bruce.summers wrote:
no IP required in the access-list
ie. access-list PNATline 1 ext permit IP h 192.168.15.10 h 10.10.10.2
???
that would be my bad
Yes you need an IP afer the permit
Jon
02-14-2010 03:42 PM
lol...there is actually a "host" statement after permit also, thats why it was throwing me the curve...
thanks...
02-14-2010 03:50 PM
hmmm...since i already have an access-list that allows IP any, it would seem i could use that (as it is applied to the outside interface)...
so, rather than access-list PNAT Outside blah blah, i would just replace the "PNAT" acl with the existing "outside" acl...
02-14-2010 03:52 PM
bruce.summers wrote:
hmmm...since i already have an access-list that allows IP any, it would seem i could use that (as it is applied to the outside interface)...
so, rather than access-list PNAT Outside blah blah, i would just replace the "PNAT" acl with the existing "outside" acl...
Bruce
No you don't want to do that unless the only line in the acl is between the 192.168.15.10 host and the 10.10.10.2
Jon
02-14-2010 03:52 PM
hmmm...that wont work...i'll have to add an ACE to the existing outside acl...
02-14-2010 03:53 PM
Trust me , just use a dedicated acl for the policy NAT.
02-14-2010 03:58 PM
i trust ya man...
the problem is this...
I have an access-group which is applied to the Outside interfaces using the "outside" acl...
I created the PNAT acl, associated it with the outside interface and it removed my existing access-group for the outside interface...
so, short of adding the following, i'm not sure how to apply what you are suggesting...
access-list Outside line 1 extended permit ip h 192.168.15.10 host 10.10.10.2
access-list Outside line 2 extended permit ip any any
access-list Outside line 3 extended permit icmp any any
access-group Outside in interface outside
02-14-2010 04:04 PM
bruce.summers wrote:
i trust ya man...
the problem is this...
I have an access-group which is applied to the Outside interfaces using the "outside" acl...
I created the PNAT acl, associated it with the outside interface and it removed my existing access-group for the outside interface...
so, short of adding the following, i'm not sure how to apply what you are suggesting...
access-list Outside line 1 extended permit ip h 192.168.15.10 host 10.10.10.2
access-list Outside line 2 extended permit ip any any
access-list Outside line 3 extended permit icmp any any
access-group Outside in interface outside
Bruce
The PNAT acl does not need to be applied to an interface, it is simply for NAT. Leave your existing acl on the outside interface.
The only reference you need to the PNAT acl is in the nat statement itself. The PNAT acl is not concerned with permitting/restricting traffic.
Jon
02-14-2010 04:12 PM
You're a genius!!!!
it worked....that is pretty awesome...
I could replace, in the acl, the "host 10.10.10.2" with the entire /24 subnet, i would think...
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide