cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
230
Views
0
Helpful
2
Replies

515e eth0 and eth1 not seeing each other's networks

dsingleterry
Level 1
Level 1

I feel like a n00b here, but I'm having troubles with something that should be basic, so note the following question as one asked with a sheepish grin...

Problem: I have a 515e setup to authenticate to a DSL modem that supplies me with one public IP over the ethernet0 of the 515e. From the 515e I can ping the outside world.

I have ethernet1 seeing an internal network 192.168.50.0, pingable from the 515e as well.

Computers on the inside of the 515e cannot see through to the outside, ping, or anything.

I am assuming I have setup my nat or global wrong, but from the documentation i've been reading, they all assume you have more than one outside IP address to work with. I just need to take all the users on the inside and get them using the one IP on the outside interface. I am also going to be setting up several VPN's over that interface, is it unwise to use only one for everything?

Here's my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password ********** encrypted

passwd ************ encrypted

hostname YRPCI

domain-name yearroundpool.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name x.x.x.x Bluff_Outside

access-list acl_out permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_out permit icmp any any

access-list acl_out permit ip any any

access-list acl_in permit icmp any any

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Bluff_Outside

access-list outside_cryptomap_9 permit ip 192.168.50.0 255.255.255.0 host Bluff_Outside

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.255 inside

pdm location Bluff_Outside 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 200 interface

global (inside) 100 192.168.50.8-192.168.50.254

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323:05:00

ip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 9 ipsec-isakmp

crypto map outside_map 9 match address outside_cryptomap_9

crypto map outside_map 9 set peer 64.53.71.8

crypto map outside_map 9 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname ************

vpdn group pppoex ppp authentication pap

vpdn username *********** password *********

Thank you for your time in advance.

Dave

1 Accepted Solution

Accepted Solutions

tvanginneken
Level 4
Level 4

Hi,

indeed there is something wrong with your nat/global config:

remove those lines:

global (outside) 200 interface

global (inside) 100 192.168.50.8-192.168.50.254

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

and replace with those lines:

global (outside) 200 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 200 0.0.0.0 0.0.0.0 0 0

The "nat (inside) 0" is part of the VPN configuration.

What is important now are the "nat (outside) 200" and "global (outside) 200" commands.

You should always have a nat/global pair with the same id (=200 in this case). All addresses on the inside (0.0.0.0 0.0.0.0) will be translate to ip address of the outside pix interface.

This will allow all outside access initiated from inside addresses (except icmp!).

If you want all internal hosts to have full access to the outside, you may remove the "acl_out" access-list.

Kind Regards,

Tom

View solution in original post

2 Replies 2

tvanginneken
Level 4
Level 4

Hi,

indeed there is something wrong with your nat/global config:

remove those lines:

global (outside) 200 interface

global (inside) 100 192.168.50.8-192.168.50.254

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

and replace with those lines:

global (outside) 200 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 200 0.0.0.0 0.0.0.0 0 0

The "nat (inside) 0" is part of the VPN configuration.

What is important now are the "nat (outside) 200" and "global (outside) 200" commands.

You should always have a nat/global pair with the same id (=200 in this case). All addresses on the inside (0.0.0.0 0.0.0.0) will be translate to ip address of the outside pix interface.

This will allow all outside access initiated from inside addresses (except icmp!).

If you want all internal hosts to have full access to the outside, you may remove the "acl_out" access-list.

Kind Regards,

Tom

Ah, well that makes sense... thank you. I will try the config soon and respond again if I have any trouble, again, thank you for your help.

:)

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: