02-26-2003 09:35 AM - edited 02-20-2020 10:35 PM
I have a two interface PIX in a lab. I am trying to simulate this for a customer.
Th PIX will be used between two Private networks in the same campus for some political reason. On a PIX outside Interface the network is 172.16.10.0/24, and inside network is on 192.168.10.0/24. Outside interface is connected to a catalyst switch for 172.16.10.0/24 network, and inside interface is also connected to a 2nd catalyst switch on a inside network 192.168.10.0/24.
Here is the issue. For allowing users to access resource from outside to inside. I can simply do:
static (inside, outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list outside permit ip 172.16.10.0 0.0.0.255 any
access-group outside in interface outside.
For testing reason, I also want to enable ping from 172.16.10.0 network to 192.168.10.0 network.
access-list outside permit icmp any any.
The only confusion I have how do I ping a host which is sitting on an outside network 172.16.10.25 to ping a host on inside network which is sitting on a network 192.168.10.25 because there is no third network segment for natting, and PIX doesn't allow to ping the private addresses from outside.
For example,
In real world, there is a public address which is natted to a private address, and you ping a public address which is mapped to a private address for testing purpose, but in my case there are only two private networks and there is no public address for natting purpose.
One thought I had to use the fake network segment such as 10.0.0.0/24 for natting purpose, but that won't work also I think because then I will have to put my PIX's outside interface on 10.0.0.0/24 segment where as the hosts on outside segment are sitting on 172.16.10.0/24 segment.
02-26-2003 11:44 AM
Since you are using the static command with two times the same network as parameter, the addresses going from the inside (192.168.10.0) to the outside are not translate. So the source address of these packages are not translated.
So if you use these commands (the ones you already mentioned):
static (inside, outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list outside permit ip 172.16.10.0 0.0.0.255 any
access-list outside permit icmp any any.
access-group outside in interface outside.
This should allow you to ping the inside addresses. So you don't have to use some kind of 'fake third subnet' to ping the inside hosts. Just use the real ip address of the inside hosts to ping them.
Please make sure that the ip address of the outside interface of the pix is the default gateway for the 192.168.10.0 network.
Kind Regards,
Tom
02-26-2003 11:57 AM
Thanks Tom ! two important things. I am confused about the last statment, "Please make sure that the ip address of the outside interface of the pix is the default gateway for the 192.168.10.0 network". Should not hosts on its respective segment should point to gateways. For example, my PIX's outside address is 172.16.10.1/24 and inside is 192.168.10.1/24. Hosts on each network should simply points to their own segment's gateways.
2) Since there is no public address pool for NAT translations, should I simply use my internal segment 192.168.10.0/24 for outside global transtation.
Example,
global (outside) 1 192.168.10.0
nat (inside) 1 192.168.10.0
Kind regards,
Ali
02-28-2003 07:05 AM
Hi,
sorry for the confusion :-)
What you are telling here is what I meant. Make sure that your hosts on the outside point to the pix for the 192.168.10.0 network.
Since you are using the static command with two times the same network as parameter, you should not use the global/nat command anymore. The static command has the same effect.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide