06-21-2006 06:00 AM - edited 02-21-2020 12:59 AM
Good Morinig, Everyone,
we have Pix515E and Pix506E, both are configured roughly the same: private IP for inside networks, NAT for web/SSH servers for incomming access. The problem is: inside hosts can't access these servers with NAT translation( can't ping, can't http, can't ssh). I thought they are all the same network and won't touch pix firewalll, but why they don't talk to each other? we Used to use CheckPoint and never have such problem for intra -private network access problem:
( an abbreviated show running-config below): >>
Result of firewall command: "show running-config"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.1.100 PrvEcommerce
name 192.168.1.150 import
name 206.246.202.19 import-outside
name 209.96.203.2 gateway-cnf
name 209.96.203.21 shark
name 206.246.202.22 SU-PC
name 192.168.1.50 su-pc
access-list outside_access_in permit tcp any host 206.246.202.20 eq www
access-list outside_access_in deny tcp host shark any
access-list outside_access_in permit tcp any host 206.246.202.20 eq 3306
access-list outside_access_in permit tcp 209.96.203.0 255.255.255.192 host 206.246.202.20 eq ssh
access-list outside_access_in permit icmp any 206.246.202.0 255.255.255.0 echo
access-list outside_access_in permit tcp any host 206.246.202.21 eq www
access-list outside_access_in permit tcp 209.96.203.0 255.255.255.192 host 206.246.202.21 eq ssh
access-list outside_access_in permit tcp any host 206.246.202.20 eq https
access-list outside_access_in permit tcp any host import-outside eq www
access-list outside_access_in permit tcp any host import-outside eq 819
access-list outside_access_in permit tcp any host import-outside eq 3306
access-list outside_access_in deny tcp any any
pager lines 24
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 206.246.202.18 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location PrvEcommerce 255.255.255.255 inside
pdm location 206.246.202.20 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 206.246.202.21 255.255.255.255 outside
pdm location 206.246.194.0 255.255.255.0 outside
pdm location 209.96.203.0 255.255.255.0 outside
pdm location 209.96.203.0 255.255.255.192 outside
pdm location import 255.255.255.255 inside
pdm location import-outside 255.255.255.255 outside
pdm location gateway-cnf 255.255.255.255 outside
pdm location shark 255.255.255.255 outside
pdm location su-pc 255.255.255.255 inside
pdm location SU-PC 255.255.255.255 outside
pdm location 10.1.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 206.246.202.57-206.246.202.62 netmask 255.255.255.248
global (outside) 1 interface
global (inside) 8 su-pc-192.168.1.200
global (inside) 4 192.168.1.10-192.168.1.240 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 206.246.202.20 PrvEcommerce netmask 255.255.255.255 0 0
static (outside,inside) PrvEcommerce 206.246.202.20 netmask 255.255.255.255 0 0
static (inside,outside) 206.246.202.21 192.168.1.200 netmask 255.255.255.255 0 0
static (outside,inside) 192.168.1.200 206.246.202.21 netmask 255.255.255.255 0 0
static (inside,outside) import-outside import netmask 255.255.255.255 0 0
static (outside,inside) import import-outside netmask 255.255.255.255 0 0
static (inside,outside) SU-PC su-pc netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.246.202.17 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00
: end
Any suggestions and ideas are greatly appreciated.
sean chang
Solved! Go to Solution.
06-21-2006 06:21 AM
What IPs are the internal users trying to access? 192.168.1.x or 206.246.202.x ?
I don't completely understand your situation but your NAT set-up is very bizarre. I have never used "global (inside).."
If users are trying to get to 192.168.1.x, try removing these lines:
static (outside,inside) ......
global (outside) 2 .....
global (inside) 8 ......
global (inside) 4 ......
06-21-2006 06:21 AM
What IPs are the internal users trying to access? 192.168.1.x or 206.246.202.x ?
I don't completely understand your situation but your NAT set-up is very bizarre. I have never used "global (inside).."
If users are trying to get to 192.168.1.x, try removing these lines:
static (outside,inside) ......
global (outside) 2 .....
global (inside) 8 ......
global (inside) 4 ......
06-21-2006 06:41 AM
Thank you Grant.maynard for the prompt response.
Yes, What we are trying is access 192.168.1.x hosts from another 192.168.1.x hosts, ie. from 192.168.1.100 to 192.168.1.200. We can ssh/http to the host 192.168.1.200 by its outside IP from internet, but we can't access it from inside private networks. the setup was initially done by our ISP.
should static(outside,inside) be used by NAT? these staff is setup by https (PDM) , not by command-line? I'll try reconfigure by PDM first, if not let me try command line, I'll let you know the results.
06-21-2006 07:22 AM
"static(outside,inside)" is used where you want to NAT an IP address on the internet, so that to you it appears as a different address. From the inside it is a destination NAT.
You said you had two PIXs - is VPN involved?
06-21-2006 07:36 AM
Thank you grant,
NO VPN involved, just seperate branches.
Good news, this Pix 506 inside hosts now Works!!! the can talk to each other, really really overjoyed.
I modeled pix515E as 506 but we have an huge active product network here, I'll try about 12-1 EST becuase most people on lunch,I'll let you know the results. Thanks again.
06-22-2006 04:23 AM
Problem Solved, Thank you very much Grant.
You are obviously an expert on pix firewall. Our ISP "network specialist" didn't do the job. You have saved me lots of headache and pain.
Have a nice day
06-22-2006 05:05 AM
Can I just ask a question here, for the sake of clarity?
As you said, if hosts are on the same internal network, they have no need to talk to the PIX. If the hosts reside on an external network, then yes, I can see how the PIX has an involvement here.
How did you manage to solve the problem? By following Grants solution?
Gary
06-22-2006 06:44 AM
Yes, Gary. Your understanding is correct.
for our 506, we had extra global 8(inside),global 4(inside)....definitely not needed( don't know how they were added), only one Global is needed( for PAT). I got rid of these globals and also make sure don't see anything like: static(outside,inside), for NAT you only need : static(inside,outside). for 515E,I added this way before , like a loop ( inside->outside, outside->inside), internal hosts can't see each other sometimes, not all the time. I learned this hard way: our internal ERP system was inaccessible from inside pcs randomly, I had to switch back to checkpoint before I tried it again yesterday. Now everything looks great.
HTH
06-22-2006 08:45 AM
Thanks for clearing that up. I'll avoid that in future!
gary
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide