Solved: PIX 515E without NAT from higher to lower

prashanth15 · ‎10-18-2005

Dear All,

Pls find attached diagram and PIX 102 and PIX 105 configuration.

Network 192.168.105.x, 192.168.102.x can communicate to outside and from outside we can access 192.168.102.x with certain ports open.

192.168.105.1is on higher security interface and 192.168.102.3 is on lower security interface for PIX105.

192.168.105.x can communicate to 192.168.102.x using NAT.

Now the issue is:

192.168.105.x cannot communicate with 192.168.102.x without NAT. Tried using Translation exceptional rules and Nat 0 but still cannot communicate.

192.168.105.X cannot communicate to 192.168.101.x ( route via PIX 102 and Router)

192.168.101.X cannot communicate with 192.168.102.x

I do not want NAT to be used between 192.168.105.x, 192.168.102.x, and 192.168.101.X

Appreciate if you can help ne ASAP

Regards,

Prashanth

jackko · ‎10-21-2005

you mentioned "192.168.101.x need to access 192.168.102.x for object group dc".

providing you are referring that the traffic is initiated by subnet .101 destined for subnet .102, then you need to apply another static on pix102.

e.g.

static (intf2,inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

clear xlate

other than this, i can't see any error with both pix config, and the router config.

to verify the issue whether is related to the datacenter router, try pinging from pix102.

firstly, ping the serial int of datacenter router, then ping the subnet .101 of the datacenter router.

View solution in original post

jackko · ‎11-03-2005

just wondering how you go.

View solution in original post

Patrick Iseli · ‎10-18-2005

Prashanth,

Q1: 192.168.105.x cannot communicate with 192.168.102.x without NAT. Tried using Translation exceptional rules and Nat 0 but still cannot communicate.

A1: Yes you can disable NAT using a NAT 0 rule

Inside should then be able to communicate with with interface intf2 without access-list. The other way works just with an access-list on the intf2.

Q2: 192.168.105.X cannot communicate to 192.168.101.x ( route via PIX 102 and Router)

A2: Have you configured the NAT on the outside router that transaltes the public IPs to the private IPs?

Q3: 192.168.101.X cannot communicate with 192.168.102.x

A3: Is basicly the same issue as Q1. Add an NONAT (NAT 0 ) and an access-list that allows 101 to communicate with 102.

sincerely

Patrick

prashanth15 · ‎10-18-2005

Hi Patrick,

Reply for Q1: Nat 0 rule didnt work.can you suggest any other method.

Q2: the router between 192.168.103.x and 192.168.101.x is the internal router ie. between two networks.

jackko · ‎10-18-2005

for 192.168.105.x to access 192.168.102.x,

static (inside,intf2) 192.168.105.0 192.168.105.0 netmask 255.255.255.0

with the static above, subnet 105 will be able to initiate connection to subnet 102. on the other hand, if you want to also permit subnet 102 to initiate connection to subnet 105, you need to:

static (intf2,inside) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

access-list 100 permit tcp host 192.168.102.100 host 192.168.105.100 eq 3389

access-group 100 in interface intf2

with pix102, i guess the logic is very similar to pix105:

static (inside,intf2) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

and again if you want to permit subnet 101 to initiate connection to subnet 102, then you need to:

static (intf2,inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

access-list 100 permit tcp host 192.168.101.100 host 192.168.105.100 eq 3389

access-group 100 in interface intf2

please also verify the route for subnet 102 and subnet 101 is available on both routers (ip: 192.168.103.5 and 192.168.70.2)

prashanth15 · ‎10-20-2005

Hi Jackko/Patrik,

Using NAT 0 and access rules i manged to get 192.168.105.x to communicate with 192.168.102.x

but 192.168.105.x cannot talk to 192.168.101.x

pls find revised configuration and attached router configuration.

Pls get back to me ASAP.

thanks,

Prashanth

jackko · ‎10-20-2005

just couple quick questions.

1. can net 102 access net 101?

2. are there routes on the datacentre router pointing to net 102 and net 105?

jackko · ‎10-20-2005

also with the pix105, verify the outbound acl.

on pix102,

access-list inside_access_in permit tcp 192.168.105.0 255.255.255.0 192.168.101.0 255.255.255.0 object-group TODC

access-list inside_access_in permit tcp 192.168.105.0 255.255.255.0 192.168.103.0 255.255.255.0 object-group TODC

however, none of these entries are configured on pix105.

prashanth15 · ‎10-21-2005

Hi Jackko,

192.168.105.x can access 192.168.102,x without NAT

192.168.105.x cannot access 192.168.101.x

192.168.102.x cannot access 192.168.101.x

192.168.101.x need to access 192.168.102.x for object group dc.

192.168.101.x should not access 192.168.105.x so there is no entries in pix105.

did u chech my router config in my site.

the router at the data center belongs to other vendor,but as per him there are entries pointing to 102 and 101 entries.

i should prove him that there is no error from my side.

Pls get back to me ASAP.

Thanks,

Prashanth

jackko · ‎10-21-2005

you mentioned "192.168.101.x need to access 192.168.102.x for object group dc".

providing you are referring that the traffic is initiated by subnet .101 destined for subnet .102, then you need to apply another static on pix102.

e.g.

static (intf2,inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

clear xlate

other than this, i can't see any error with both pix config, and the router config.

to verify the issue whether is related to the datacenter router, try pinging from pix102.

firstly, ping the serial int of datacenter router, then ping the subnet .101 of the datacenter router.

jackko · ‎11-03-2005

just wondering how you go.

prashanth15 · ‎11-09-2005

Hi Jackko,

Thanks for your help

192.168.105.x is able to acces 192.168.102.x without NAT.

However i cannot ping and requirements as follows:

192.168.105.x should be able to ping pix outside,DMZ.

192.168.105.x should be able to ping 192.168.102.x

192.168.102.x should be able to ping pix outside

192.168.102.x should be able to ping 192.168.105.x

refer attached diagram

Regards,

Prashanth

jackko · ‎11-09-2005

to ping between .105.x and .102.x, apply "permit icmp any any" on .105.x pix intf2 interface.

to ping from .105.x to the internet, apply "permit icmp any any eq echo-reply" on .105.x pix outside interface.

to ping from .102.x to the internet, apply "permit icmp any any eq echo-reply" on .102.x pix outside interface.