08-31-2006 05:48 PM - edited 02-21-2020 01:08 AM
I have a 2610 in front of a Pix 506E. Attached is the cfg's of each.
I think router is set wrong plz hlp.
ROUTER ===>>
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
enable secret xxxx
enable password enable
!
ip subnet-zero
!
ip name-server xxx.xxx.xxx.4
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0/0
bandwidth 10000
ip address xxx.xxx.xxx.123 255.255.255.0
ip nat outside
half-duplex
!
interface Ethernet1/0
ip address 10.1.2.254 255.255.255.252
ip nat inside
full-duplex
!
ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0
ip nat inside source list 1 pool outside-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
no ip http server
ip pim bidir-enable
!
access-list 1 permit 10.1.1.0 0.0.0.255
route-map 1 permit 10
!
!
line con 0
line aux 0
line vty 0 4
password enable
login
!
end
PIX===>>
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp strict 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol pptp 1723
no fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.1.1.1 PIX-INSIDE
name 10.1.1.101 WAN-MON
name 10.1.2.253 PIX-OUTSIDE
pager lines 20
logging on
logging timestamp
logging buffered alerts
logging trap informational
logging history informational
logging queue 1000
logging device-id hostname
logging host inside WAN-MON
mtu outside 1500
mtu inside 1500
ip address outside PIX-OUTSIDE 255.255.255.252
ip address inside PIX-INSIDE 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location WAN-MON 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.1.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http WAN-MON 255.255.255.255 inside
floodguard enable
telnet timeout 2
ssh timeout 5
console timeout 5
terminal width 80
: end
08-31-2006 06:20 PM
Hi,
Are you suspecting the "ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0" should be replace with "ip nat inside source list 1 interface Ethernet0/0 overload" since it uses Ethernet0/0 as outside nat IP?
Rgds,
AK
08-31-2006 07:25 PM
Hi,
I guess no nat 0 is needed if you have no translation in the PIX.
08-31-2006 07:38 PM
For NAT 0, options are:
1. NAT 0
nat (inside) 0 0.0.0.0 0.0.0.0 --> no translation for any inside IP/subnet/host, or
nat (inside) 0 10.1.1.0 255.255.255.0 --> no translation for specific subnet
2. Policy NAT
access-list 100 permit ip 10.1.1.0 255.255.255.0 any
nat (inside) 0 access-list 100
3. inside & outside see/reach each other using original IP (no nat)
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
09-01-2006 02:05 PM
Hi,
He has 'nat (inside) 0' configured on the PIX. The problem with the router config is the NAT pool is set to use the E0/0 IP. The router doesn't NAT (PAT) when it's setup this way. Hence, he has to specify the interface in his NAT config with the keyword overload for this to work.
To the original poster:
Can you apply the following config to the router?
no ip nat pool outside-pool xxx.xxx.xxx.123 xxx.xxx.xxx.123 netmask 255.255.255.0
ip nat inside source list 1 interface Ethernet0/0 overload
HTH,
Sundar
10-02-2006 07:08 PM
What are you trying to accomplish?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide