Solved: Re: Inside hosts Do NOT talk to each other---Pix 506, Pix 515E

sean chang · ‎06-21-2006

Good Morinig, Everyone,

we have Pix515E and Pix506E, both are configured roughly the same: private IP for inside networks, NAT for web/SSH servers for incomming access. The problem is: inside hosts can't access these servers with NAT translation( can't ping, can't http, can't ssh). I thought they are all the same network and won't touch pix firewalll, but why they don't talk to each other? we Used to use CheckPoint and never have such problem for intra -private network access problem:

( an abbreviated show running-config below): >>

Result of firewall command: "show running-config"

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

name 192.168.1.100 PrvEcommerce

name 192.168.1.150 import

name 206.246.202.19 import-outside

name 209.96.203.2 gateway-cnf

name 209.96.203.21 shark

name 206.246.202.22 SU-PC

name 192.168.1.50 su-pc

access-list outside_access_in permit tcp any host 206.246.202.20 eq www

access-list outside_access_in deny tcp host shark any

access-list outside_access_in permit tcp any host 206.246.202.20 eq 3306

access-list outside_access_in permit tcp 209.96.203.0 255.255.255.192 host 206.246.202.20 eq ssh

access-list outside_access_in permit icmp any 206.246.202.0 255.255.255.0 echo

access-list outside_access_in permit tcp any host 206.246.202.21 eq www

access-list outside_access_in permit tcp 209.96.203.0 255.255.255.192 host 206.246.202.21 eq ssh

access-list outside_access_in permit tcp any host 206.246.202.20 eq https

access-list outside_access_in permit tcp any host import-outside eq www

access-list outside_access_in permit tcp any host import-outside eq 819

access-list outside_access_in permit tcp any host import-outside eq 3306

access-list outside_access_in deny tcp any any

pager lines 24

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside 206.246.202.18 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location PrvEcommerce 255.255.255.255 inside

pdm location 206.246.202.20 255.255.255.255 outside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.1.2 255.255.255.255 inside

pdm location 206.246.202.21 255.255.255.255 outside

pdm location 206.246.194.0 255.255.255.0 outside

pdm location 209.96.203.0 255.255.255.0 outside

pdm location 209.96.203.0 255.255.255.192 outside

pdm location import 255.255.255.255 inside

pdm location import-outside 255.255.255.255 outside

pdm location gateway-cnf 255.255.255.255 outside

pdm location shark 255.255.255.255 outside

pdm location su-pc 255.255.255.255 inside

pdm location SU-PC 255.255.255.255 outside

pdm location 10.1.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 206.246.202.57-206.246.202.62 netmask 255.255.255.248

global (outside) 1 interface

global (inside) 8 su-pc-192.168.1.200

global (inside) 4 192.168.1.10-192.168.1.240 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) 206.246.202.20 PrvEcommerce netmask 255.255.255.255 0 0

static (outside,inside) PrvEcommerce 206.246.202.20 netmask 255.255.255.255 0 0

static (inside,outside) 206.246.202.21 192.168.1.200 netmask 255.255.255.255 0 0

static (outside,inside) 192.168.1.200 206.246.202.21 netmask 255.255.255.255 0 0

static (inside,outside) import-outside import netmask 255.255.255.255 0 0

static (outside,inside) import import-outside netmask 255.255.255.255 0 0

static (inside,outside) SU-PC su-pc netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 206.246.202.17 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00

: end

Any suggestions and ideas are greatly appreciated.

sean chang

grant.maynard · ‎06-21-2006

What IPs are the internal users trying to access? 192.168.1.x or 206.246.202.x ?

I don't completely understand your situation but your NAT set-up is very bizarre. I have never used "global (inside).."

If users are trying to get to 192.168.1.x, try removing these lines:

static (outside,inside) ......

global (outside) 2 .....

global (inside) 8 ......

global (inside) 4 ......

View solution in original post

grant.maynard · ‎06-21-2006

What IPs are the internal users trying to access? 192.168.1.x or 206.246.202.x ?

I don't completely understand your situation but your NAT set-up is very bizarre. I have never used "global (inside).."

If users are trying to get to 192.168.1.x, try removing these lines:

static (outside,inside) ......

global (outside) 2 .....

global (inside) 8 ......

global (inside) 4 ......

sean chang · ‎06-21-2006

Thank you Grant.maynard for the prompt response.

Yes, What we are trying is access 192.168.1.x hosts from another 192.168.1.x hosts, ie. from 192.168.1.100 to 192.168.1.200. We can ssh/http to the host 192.168.1.200 by its outside IP from internet, but we can't access it from inside private networks. the setup was initially done by our ISP.

should static(outside,inside) be used by NAT? these staff is setup by https (PDM) , not by command-line? I'll try reconfigure by PDM first, if not let me try command line, I'll let you know the results.

grant.maynard · ‎06-21-2006

"static(outside,inside)" is used where you want to NAT an IP address on the internet, so that to you it appears as a different address. From the inside it is a destination NAT.

You said you had two PIXs - is VPN involved?

sean chang · ‎06-21-2006

Thank you grant,

NO VPN involved, just seperate branches.

Good news, this Pix 506 inside hosts now Works!!! the can talk to each other, really really overjoyed.

I modeled pix515E as 506 but we have an huge active product network here, I'll try about 12-1 EST becuase most people on lunch,I'll let you know the results. Thanks again.

sean chang · ‎06-22-2006

Problem Solved, Thank you very much Grant.

You are obviously an expert on pix firewall. Our ISP "network specialist" didn't do the job. You have saved me lots of headache and pain.

Have a nice day

0r8it · ‎06-22-2006

Can I just ask a question here, for the sake of clarity?

As you said, if hosts are on the same internal network, they have no need to talk to the PIX. If the hosts reside on an external network, then yes, I can see how the PIX has an involvement here.

How did you manage to solve the problem? By following Grants solution?

Gary

sean chang · ‎06-22-2006

Yes, Gary. Your understanding is correct.

for our 506, we had extra global 8(inside),global 4(inside)....definitely not needed( don't know how they were added), only one Global is needed( for PAT). I got rid of these globals and also make sure don't see anything like: static(outside,inside), for NAT you only need : static(inside,outside). for 515E,I added this way before , like a loop ( inside->outside, outside->inside), internal hosts can't see each other sometimes, not all the time. I learned this hard way: our internal ERP system was inaccessible from inside pcs randomly, I had to switch back to checkpoint before I tried it again yesterday. Now everything looks great.

HTH

0r8it · ‎06-22-2006

Thanks for clearing that up. I'll avoid that in future!

gary