Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
5
Replies

Need help with PIX & Router

braveheart814
Level 1
Level 1

‎08-31-2006 05:48 PM - edited ‎02-21-2020 01:08 AM

I have a 2610 in front of a Pix 506E. Attached is the cfg's of each.

I think router is set wrong plz hlp.

ROUTER ===>>

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

enable secret xxxx

enable password enable

!

ip subnet-zero

!

ip name-server xxx.xxx.xxx.4

!

ip audit notify log

ip audit po max-events 100

!

interface Ethernet0/0

bandwidth 10000

ip address xxx.xxx.xxx.123 255.255.255.0

ip nat outside

half-duplex

!

interface Ethernet1/0

ip address 10.1.2.254 255.255.255.252

ip nat inside

full-duplex

!

ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0

ip nat inside source list 1 pool outside-pool overload

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1

no ip http server

ip pim bidir-enable

!

access-list 1 permit 10.1.1.0 0.0.0.255

route-map 1 permit 10

!

!

line con 0

line aux 0

line vty 0 4

password enable

login

!

end

PIX===>>

PIX Version 6.3(5)

interface ethernet0 10full

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp strict 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol pptp 1723

no fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

name 10.1.1.1 PIX-INSIDE

name 10.1.1.101 WAN-MON

name 10.1.2.253 PIX-OUTSIDE

pager lines 20

logging on

logging timestamp

logging buffered alerts

logging trap informational

logging history informational

logging queue 1000

logging device-id hostname

logging host inside WAN-MON

mtu outside 1500

mtu inside 1500

ip address outside PIX-OUTSIDE 255.255.255.252

ip address inside PIX-INSIDE 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location WAN-MON 255.255.255.255 inside

pdm logging informational 512

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 10.1.2.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http WAN-MON 255.255.255.255 inside

floodguard enable

telnet timeout 2

ssh timeout 5

console timeout 5

terminal width 80

: end

0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎08-31-2006 06:20 PM

Hi,

Are you suspecting the "ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0" should be replace with "ip nat inside source list 1 interface Ethernet0/0 overload" since it uses Ethernet0/0 as outside nat IP?

Rgds,

AK

0 Helpful

abdel_n
Level 1
Level 1

‎08-31-2006 07:25 PM

Hi,

I guess no nat 0 is needed if you have no translation in the PIX.

0 Helpful

a.kiprawih
Level 7
Level 7
In response to abdel_n

‎08-31-2006 07:38 PM

For NAT 0, options are:

1. NAT 0

nat (inside) 0 0.0.0.0 0.0.0.0 --> no translation for any inside IP/subnet/host, or

nat (inside) 0 10.1.1.0 255.255.255.0 --> no translation for specific subnet

2. Policy NAT

access-list 100 permit ip 10.1.1.0 255.255.255.0 any

nat (inside) 0 access-list 100

3. inside & outside see/reach each other using original IP (no nat)

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to a.kiprawih

‎09-01-2006 02:05 PM

Hi,

He has 'nat (inside) 0' configured on the PIX. The problem with the router config is the NAT pool is set to use the E0/0 IP. The router doesn't NAT (PAT) when it's setup this way. Hence, he has to specify the interface in his NAT config with the keyword overload for this to work.

To the original poster:

Can you apply the following config to the router?

no ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0

ip nat inside source list 1 interface Ethernet0/0 overload

HTH,

Sundar

0 Helpful

ifican
Level 1
Level 1

‎10-02-2006 07:08 PM

What are you trying to accomplish?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card