Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Problem in PIX 525

Hello All,

I have a PIX 525 configured with 3 interfaces (inside,outside,DMZ). This PIX is connected to a cisco core 4100R switch. I want to let a specific VLAN with a subnet (10.2.0.0) to remote desktop and ping the DMZ web and mail servers. However, after i created a dynamic NAT and access-list, users in this VLAN still not ping or RDP to the servers. Please check the following config:

global (outside) 1 192.168.1.11

global (dmz) 1 10.11.0.130-10.11.0.135 netmask 255.255.255.0

nat (inside) 1 10.2.0.0 255.255.0.0

access-list outgoing extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo

access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply

access-group outgoing in interface inside

Notice:

DMZ : 10.11.0.0/24

inside VLAN: 10.2.0.0/16

Web server: 10.11.0.13

Mail server: 10.11.0.12

Please correct me if i am wrong.

Thank You

11 REPLIES
New Member

Re: NAT Problem in PIX 525

Hi,

Your configuration seems ok to me...

Maybe, you can:

- try the command "clear xlate" which clears the translation table on your PIX

- make sure that you can RDP and ping your servers, EVEN if you are in the DMZ (try with a host in the DMZ)

- Check PIX logs and verify that no packets are dropped

- No nat from the inside to the DMZ:

static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 and check if it works

Maybe other people will have accurate suggestions...

Thanks to give us update about your case.

New Member

Re: NAT Problem in PIX 525

What version of code is this PIX running? Your config looks ok with regards to traffic going from the inside to DMZ. Depending on the version traffic may be treated differently.

Silver

Re: NAT Problem in PIX 525

Perhaps this is because you are using a /16 mask in the ACLs, but in your global you are using a /24 mask....

New Member

Re: NAT Problem in PIX 525

Hello walker,

Actually, the mask in the access-list is not a real subnet mask but it's a wild card mask to identify between hosts and subnets and that's it. In global commands, the mask is the real subnet mask.

My PIX is running OS 7.0(1) and i am really wondering why it's not working since my config is okay. And yes, i can RDP and ping the servers from a host in the DMZ too.

Any other suggestions?!!

Gold

Re: NAT Problem in PIX 525

are there other ACL entries in your access-list thats applied to the inside interface?? assuming a security level of 100, all traffic to other interfaces should be allowed...w/o an ACL.

you probably dont need to nat when going from the inside to the dmz interface...as one other person suggested, just static nat the 10.2.0.0 subnet to itself, or do it with a nat 0 command (which is what i use to get to my dmz). i assume your pix knows how to get back to the 10.2.0.0 subnet? (a ping from the pix to a 10.2.x.x host can confirm this).

Bronze

Re: NAT Problem in PIX 525

Hi,

You need to open the echo reply path from the dmz to the inside network,

access-list incoming extended permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply

access-group incoming in interface dmz

check if the routing ok or not, (route inside)...

For the remote desktop, you can also check whether the service is running on the server or not.

I hope this helps, please rate if it does.

Best regards,

New Member

Re: NAT Problem in PIX 525

Hello oabduo,

Yes,i already opened the icmp echo reply path from dmz to inside and nothing new.

access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0

access-group DMZ_access_in in interface dmz

But thanks for your suggestion anyways :)

Hope more suggestions are on my way soon.

Turbo

Bronze

Re: NAT Problem in PIX 525

Hello Turbo,

Notice the destination which I have included in my extended access-list,

access-list DMZ_access_in permit icmp 10.11.0.0 255.255.0.0 10.11.0.0 255.255.0.0 echo-reply

This is because when you access from a low security zone to a high security zone you need to access the translated IP not the actual IP.

Please include that access-list... if confused include the following instead, just for testing:

access-list DMZ_access_in permit icmp any any echo-reply

Don't forget the access-group command...

Best regards,

New Member

Re: NAT Problem in PIX 525

hello can you do a show conn detail when you are attempting to access the Terminal Server ?

post the output plz ( hide real IP addresses if public )

Best Regards

Re: NAT Problem in PIX 525

Hi .. you cold try this assuming security for the inside interface is higher that the security for the DMZ.

Make sure you enable the default policy map for providing application inspection. Make sure inspect icmp is present

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

!

service-policy global-policy global

access-list outgoing extended permit icmp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0

access-list outgoing extended permit tcp 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0 eq 3389

access-group outgoing in interface inside

access-list Inside_Out_nonat extended permit ip 10.2.0.0 255.255.0.0 10.11.0.0 255.255.255.0

nat (inside) 0 access-list Inside_Out_nonat

clear xlate

I hope it helps .. please rate it if it does !!!

New Member

Re: NAT Problem in PIX 525

Hello Guys,

Please allow me to explain once again. I want to RDP and ping the DMZ servers by their same ip addresses. i.e RDP/Ping to 10.11.0.12 (mail srv) and RDP/Ping to 10.11.0.13 (web srv). I used all the kind of NATs in the world but it still not working for sorry.

I think the best way to RDP/Ping with the same servers addresses is the NAT exemption..

Please check this out!!

access-list Exempt extended permit ip 10.11.0.0 255.255.0.0 10.2.0.0 255.255.0.0

nat (dmz) 0 access-list Exempt

But,the problem still exist.

Any ideas?!!

Turbo

207
Views
0
Helpful
11
Replies