06-12-2008 10:47 AM - edited 03-11-2019 05:58 AM
I am trying to do is setup a pix with 2 outside interfaces (See Drawing 1). Below is the configuation.
--------------------
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet0 vlan16 logical
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 inside_pc_vlan3 security99
nameif vlan16 outside_pc_vlan16 security1
/SNIP/
access-list 101 permit ip any any
access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0
access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any
/SNIP/
ip address outside 192.168.136.2 255.255.255.0
ip address inside 192.168.5.254 255.255.255.0
ip address inside_pc_vlan3 192.168.7.254 255.255.254.0
ip address outside_pc_vlan16 192.168.26.2 255.255.254.0
/SNIP/
global (outside) 1 192.168.136.20-192.168.136.245
global (outside) 1 interface
global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0
/SNIP/
static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0
access-group 101 in interface outside
access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3
route outside 0.0.0.0 0.0.0.0 192.168.136.1 1
/SNIP/
---------------------
When I try to connect from a PC on inside_pc_vlan3 to an external machine I get the following error:
%PIX-3-305006: portmap translation creation failed for tcp src inside_pc_vlan3:192.168.6.1/2802 dst outside:192.168.133.207/80
However, when I move inside_pc_vlan3's nat to the outside interface via
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Everthing works except it is using the wrong interface and wrong nat pool...
I think the error is in the routing because fromt the error it appears that the failure is on the "outside" interface but I don't know how to fix it.
Recommendations?
06-12-2008 12:42 PM
This is the expected behavior, you are trying to reach "192.168.133.207", which is not directly connected (in your routing table). So the PIX assumes this has to go out the default route (going towards the "outside" interface). The nat statement for the inside_pc_vlan3 zone is:
nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0
The PIX is looking for a corresponding global statement i.e.
global (outside) 16 XYZ
Since that is not there, it is complaining.
Also in your diagram you mentioned inside_pc_vlan3's IP on the PIX is "192.168.5.254" yet in the config it is "192.168.7.254" and lastly the traffic you are initiating is "192.168.6.0/24" so what is the real subnet my friend? .5 .6 or .7? :) .5 it cannot be because that is the subnet for inside.
Regards
Farrukh
06-12-2008 12:57 PM
Thanks for the reply...
Sorry I munged the drawing. The config is right. The interface address for vlan3 is 7.254 not 5.254...
I have a global that matches 16
global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245
Why would I have to define one for the outside interface?
What I want to do is NAT from inside_pc_vlan3 to outside_pc_vlan16.
06-12-2008 01:02 PM
Because the route lookup is done *first* and then NAT kicks in.
Source = 192.168.6.0
Destination Lookup = 192.168.133.0/ 24 is reachable via where? "Outside"
Since the default gateway is pointing towards there.
So its looking for a global (outside) and NOT global (outside_pc_Vlan16)
Hope this helps
Regards
Farrukh
06-12-2008 02:23 PM
Ahh, that makes sense....
How do I fix it? What I need is a way to make the default route for the inside_pc_vlan3 interface to point to outside_vlan16 instead of outside. Is this doable?
06-12-2008 01:02 PM
06-13-2008 03:17 AM
You cannot have two default routes on the Cisco firewall for two different interfaces. Or if you are looking to go out to specific subnets/destinations, you could add specific routes for those destinations pointing towards the second outside interface, like
route 192.168.133.0 255.255.255.0 outside_pc_vlan16
Why don't you use a common outside subnet for both inside subnets?
Regards
Farrukh
06-16-2008 05:57 AM
Thanks that is what I thought. I am trying to roll from a legacy structure to a new subnet without a hard cutover.. I guess I will have to go to a single subnet infactruture....
Thanks again.
06-16-2008 06:54 AM
No problems at all, glad I could help.
Regards
Farrukh
06-17-2008 01:10 PM
Just thinking, would this implementation be a possibility if I upgraded to 7.X? Couldnt I setup 2 virtual firewalls and have each route accordingly?
06-17-2008 06:38 PM
Yes you can. I was thinking of suggesting this, but you even want communication between the two insides....that will make the setup a little complex.
Regards
Farrukh
06-25-2008 05:00 AM
Cool, I am going to do some research in this direction. Thanks...
06-25-2008 08:46 AM
with contexts you will lose all VPN functionality
06-25-2008 08:56 AM
Yes that is true. Also there will be no more dynamic routing, QOS etc.
Regards
Farrukh
06-25-2008 11:53 AM
That is ok I am not nor will I be using vpn or dynamic routing...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide