03-22-2007 04:32 AM - edited 03-11-2019 02:50 AM
I seem to have stumbled on an issue in our test environment. Please see explanation below and relevant lines of the configuration.
We have a PIX that is using 2 interfaces, inside and outside, no DMZ.
The network outside of the PIX is 10.1.0.0/16. The network inside the PIX is 172.16.15.0/27.
Behind the PIX is a web server. NAT is configured so that HTTP traffic to the web server which is directed at its external ip address (10.1.96.2), is port redirected to its real ip address on the inside (172.16.15.30). This is achieved using static NAT.
The web server needs to initiate outbound traffic. In this example I have configured it to be able to do DNS lookups on external servers (10.1.15.98 + 99). The "inside" access-list and nat/global pair achieve this.
OK so far. For arguments sake the web server needs to receive HTTP traffic from the same source IP address. I have achieved this using outside NAT with another nat/global pair. All inbound HTTP requests appear to the web server as 192.168.0.1.
This is when the problem occurs. The inbound HTTP requests still succeed. The destination IP address is changed to the web servers real IP address and the source IP address is changed to the address configured with the inside global. This has been verified by entries in the web server logs.
What now fails to work is any outbound requests. The error I see on the PIX is:
"No translation group found for udp src inside:172.16.15.30/1340 dst outside:10.1.15.99/53"
I am puzzled as this message normally appears when NAT has not been configured yet it has been and has worked up until this point.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside permit tcp any host 10.1.96.2 eq www
access-list outside deny ip any any
access-list policy-nat permit tcp any host 10.1.96.2 eq www
access-list inside permit tcp host 172.16.15.30 host 10.1.15.98 eq domain
access-list inside permit tcp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.98 eq domain
ip address outside 10.1.96.1 255.255.0.0
ip address inside 172.16.15.1 255.255.255.224
global (outside) 2 10.1.96.2
global (inside) 1 192.168.0.1
nat (outside) 1 access-list policy-nat outside 0 0
nat (inside) 2 172.16.15.30 255.255.255.255 0 0
static (inside,outside) tcp 10.1.96.2 www 172.16.15.30 www netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
03-22-2007 08:58 AM
Hi There,
This is a known problem when using outside nat. Please try implementing following commands and check if this resolves the issue:
no nat (outside) 1 access-list policy-nat outside
no global (inside) 1 192.168.0.1
access-list nonat deny tcp any host 10.1.96.2 eq 80
access-list nonat permit ip any any
nat (outside) 0 access-list nonat outside
nat (outside) 1 access-list policy-nat outside
global (inside) 1 192.168.0.1
clear xlate
Let me know if this helps in resolving your issue. I'll be glad to explain once things work.
Regards,
Vibhor.
03-22-2007 10:13 AM
Hi Vibhor
Thank you for the information. I have run the commands that you have suggested. I can now initiate outbound traffic. However the outside NAT does not work so the source IP address of a machine on the outside making an HTTP request is received by the web server unchanged.
The point of doing this was so that all requests appear to the web server with the same IP address.
Many thanks
Gary
03-24-2007 09:29 AM
Hi Gary,
Thats wierd, if you have syslogs, could you pass them on?
Regards,
Vibhor.
03-26-2007 01:56 AM
Hi Vibhor
Nothing in the syslogs really - see below:
305011: Built static TCP translation from inside:172.16.15.30/80 to outside:10.1.96.2/80
302013: Built inbound TCP connection 38 for outside:10.1.102.60/1701 (10.1.102.60/1701) to inside:172.16.15.30/80 (10.1.96.2/80)
304001: 10.1.102.60 Accessed URL 10.1.96.2:/
Web Logs are consistent with the above:
#Date: 2007-03-26 08:39:57
#Fields: time c-ip s-ip s-port cs-method cs-uri-stem sc-status
08:39:57 10.1.102.60 172.16.15.30 80 GET /Default.htm 200
08:40:42 10.1.102.60 172.16.15.30 80 GET /Default.htm 304
08:41:32 10.1.102.60 172.16.15.30 80 GET /Default.htm 304
Regards
Gary
03-26-2007 09:41 PM
Thanks for the logs. Please try using these commands-
no access-list nonat deny tcp any host 10.1.96.2 eq 80
no access-list nonat permit ip any any
no nat (outside) 0 access-list nonat outside
no nat (outside) 1 access-list policy-nat outside
clear xlate
access-list nonat deny ip any host 10.1.96.2
access-list nonat permit ip any any
nat (outside) 1 access-list policy-nat outside
nat (outside) 0 access-list nonat outside
clear xlate
Let me know if this helps.
Regards,
Vibhor.
03-27-2007 02:05 AM
Hi Vibhor
Thank you for the info. Unfortunately this just results in the same - traffic flows inbound and outbound but the outside nat fails to work anymore.
Please see a cut down of the configuration to verify:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside permit tcp any host 10.1.96.2 eq www
access-list outside deny ip any any
access-list policy-nat permit tcp any host 10.1.96.2 eq www
access-list inside permit tcp host 172.16.15.30 host 10.1.15.98 eq domain
access-list inside permit tcp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.98 eq domain
access-list nonat deny ip any host 10.1.96.2
access-list nonat permit ip any any
ip address outside 10.1.96.1 255.255.0.0
ip address inside 172.16.15.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
global (outside) 2 10.1.96.2
global (inside) 1 192.168.0.1
nat (outside) 0 access-list nonat outside
nat (outside) 1 access-list policy-nat outside 0 0
nat (inside) 2 172.16.15.30 255.255.255.255 0 0
static (inside,outside) tcp 10.1.96.2 www 172.16.15.30 www netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
Regards
Gary
03-27-2007 06:47 PM
Hey Gary,
Thanks for the latest snippet of config, I was looking for that. Now this is not good. The configuration is perfect and things should work. Could you tell me what version is running on PIX? I'm afraid that we may be looking into a bug.
Regards,
Vibhor.
03-28-2007 01:25 AM
Hi Vibhor
Running 6.3(4)
Gary
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: