Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

PIX Outside NAT and Overlapping networks - one more BUG

Hi!

I have simple test network with overlapping address spaces and want to solve the problem with PIX NAT on a single PIX firewall.

PIX inside = 192.168.1.0/24

PIX outside = 172.16.1.0/24

and the config is:

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

static (inside,outside) 172.16.1.10 192.168.1.4 netmask 255.255.255.255

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

route outside 192.168.1.112 255.255.255.255 172.16.1.2

(^^^see my previous post on this route.)

The overlapping network 192.168.1.0/24 is behind a router 172.16.1.2.

Now I'm trying to ping a host on the overlapping network by its name from the inside network. The DNS server is on the outside and has RR: "target IN A 192.168.1.112". Note the "dns" option in the static:

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

ping target

The result is surprising:

305009: Built static translation from inside:192.168.1.4 to outside:172.16.1.10

302015: Built outbound UDP connection 48 for outside:172.16.1.254/53 (172.16.1.254/53) to inside:192.168.1.4/50413 (172.16.1.10/50413)

302016: Teardown UDP connection 48 for outside:172.16.1.254/53 to inside:192.168.1.4/50413 duration 0:00:01 bytes 127

305006: Dst IP is network/broadcast IP, translation creation failed for icmp src inside:192.168.1.4 dst outside:192.168.2.0 (type 8, code 0)

Hmm... What is it?

show hosts (on a client 192.168.1.4):

target.trn ... IP 192.168.2.0

Surprise! The DNS payload translation works, but PIX allocates Net address from the static pool (ignores the netmask)!

AGAIN: IS THIS A JOKE OF PIX DEVELOPERS, OR WHAT???

The question: how to solve this problem?

Regards,

Oleg Tipisov,

CCSI

REDCENTER,

Moscow

1 REPLY
ovt Bronze
Bronze

Re: PIX Outside NAT and Overlapping networks - one more BUG

Hi!

No, it isn't a joke, but the "dns" functionality in static is broken:

static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask 255.255.255.0

Use

alias (inside) 192.168.2.0 192.168.1.0 255.255.255.0

instead. It works fine with and without IPSec. DNS A RRs in DNS replays are translated from 1.x to 2.x when the packet goes from outside to inside. It allows real single-side solution for overlapping networks and access to overlapping network resources via DNS names.

Regards,

Oleg Tipisov,

CCSI

REDCENTER,

Moscow

176
Views
0
Helpful
1
Replies