i have configured static nat in cisco pix 525.the local ip (machine) resides on the management interface,sec level 95.i have allwoed the necessary traffic from outside to the global ip of the machine.but there is no entry in the xlate and i can't ping the machine from outside.what do you think is the problem?
Can you post the relevant lines of config with any sesnitive info removed.
Have you allowed the traffic through on yur access-list on the outside interface ?
Are you seeing hits on the access-list ?
Do you have an access-list on the management interface ? If so have you allowed the icmp back from that subnet as icmp is not stateful so you need to allow it both ways.
the static line:
static (management,outside) [global ip] [local ip of machine] netmask 255.255.255.255 0 0
acl permiting an outside host to machine:
access-list outside_acl permit ip host [outside host ip] host [machine global ip] (hitcnt=0)
no hits on acl.
acl on management intf:
access-list management_acl permit ip host [local ip of machine] any
From what you have sent the config looks okay.
Does the host on the outside interface know how to route to the global ip of the management machine.
it might hlep if you actually posted the config - sometimes a second pair of eyes might spot something that has been missed.
the host on the outside interface resides on the same vlan (subnet) as the PIX's outside interface,so it won't be a routing issue.
i have applied all the acl to the respective interfaces of the PIX.
by the way,for the translation to work,should some connection initiated from the local machine first?
okay, so not a routing issue then :-)
The answer to your question is no you should not have to have a connection initiated from the local machine first.
It's difficult to go any further withtout the actual config. Have you managed to get any other traffic through from the outside, have you applied the outside access-list to the outside interface.
Apologies if these seem very basic questions but without the config it's a bit difficult.
no need to appologize as far as i need solutions and you are here to help,and mainly because we all know any silly configs cause considerable mess and ntk admins may not figure out the problem at hand.
saying so,outside acl is applied at outside interface.btw,the pix is on a production ntk and any unapplied acl would show connection problems if it was so.
for your info,there are some other machines on the management intf and with static trans for outside connection and i can get those machines form the outside host.
Well the next thing to do is ome packet debugging i guess. It's a production firewall so you'll have to make the call as to whether you can run in on live equipment but if you narrow down the debugging it should be okay
debug packet outside src "outside host ip address"
If you run this and then try pinging from outside host do you see traffic hitting the outside interface.
If you do, just to be sure try
debu packet "managment_interface" src "outside host" It's very unlikely you will see anything as you are not seeing a hit on the acl but worth looking.
ya,before posting this problem here,i tried the ff on the pix:
debug packet outside src [outside host ip] dst [machine global ip]
no traffic hitting the outside intf when i try to ping from outside host.
no xlate entry in the sh xlate output for the machine local and global address.
Okay, at a bit of a loss now. I just did a few tests with NAT etc. on one of our pix firewalls.
If you aren't seeing any packets hitting the outside interface then obviously it suggests the outside host machine is not sending packets to the outside interface of the pix for this machine.
Have you checked the IP addressing/routing on the host to ensure there is nothing funny with the particular server you are trying to contact ?
Can't think of much more at the moment.
i have solved the problem.what i did is after configuring static nat and the necessary acl,i initiated an outbound connection from the local machine(at the management intf) and then i can see the xlate entry in the sh xlate output.it works fine after that.so i think initiating some traffic from local machine is necessay.
Okay, glad you have found a workaround.
Not trying to prove a point but you shouldn't have to do this. If you did have to do this then every firewall admin who set up web servers etc on a dmz would have to have these servers initiate outbound connections to setup an xlate before anyone on the internet could connect through to the web server. This is clearly not the way the pix or any other firewall works.
Still, as i say, glad you have found a workaround.