PIX Scenerio

ali.asghar · ‎02-26-2003

I have a two interface PIX in a lab. I am trying to simulate this for a customer.

Th PIX will be used between two Private networks in the same campus for some political reason. On a PIX outside Interface the network is 172.16.10.0/24, and inside network is on 192.168.10.0/24. Outside interface is connected to a catalyst switch for 172.16.10.0/24 network, and inside interface is also connected to a 2nd catalyst switch on a inside network 192.168.10.0/24.

Here is the issue. For allowing users to access resource from outside to inside. I can simply do:

static (inside, outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

access-list outside permit ip 172.16.10.0 0.0.0.255 any

access-group outside in interface outside.

For testing reason, I also want to enable ping from 172.16.10.0 network to 192.168.10.0 network.

access-list outside permit icmp any any.

The only confusion I have how do I ping a host which is sitting on an outside network 172.16.10.25 to ping a host on inside network which is sitting on a network 192.168.10.25 because there is no third network segment for natting, and PIX doesn't allow to ping the private addresses from outside.

For example,

In real world, there is a public address which is natted to a private address, and you ping a public address which is mapped to a private address for testing purpose, but in my case there are only two private networks and there is no public address for natting purpose.

One thought I had to use the fake network segment such as 10.0.0.0/24 for natting purpose, but that won't work also I think because then I will have to put my PIX's outside interface on 10.0.0.0/24 segment where as the hosts on outside segment are sitting on 172.16.10.0/24 segment.

tvanginneken · ‎02-26-2003

Since you are using the static command with two times the same network as parameter, the addresses going from the inside (192.168.10.0) to the outside are not translate. So the source address of these packages are not translated.

So if you use these commands (the ones you already mentioned):

static (inside, outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

access-list outside permit ip 172.16.10.0 0.0.0.255 any

access-list outside permit icmp any any.

access-group outside in interface outside.

This should allow you to ping the inside addresses. So you don't have to use some kind of 'fake third subnet' to ping the inside hosts. Just use the real ip address of the inside hosts to ping them.

Please make sure that the ip address of the outside interface of the pix is the default gateway for the 192.168.10.0 network.

Kind Regards,

Tom

ali.asghar · ‎02-26-2003

Thanks Tom ! two important things. I am confused about the last statment, "Please make sure that the ip address of the outside interface of the pix is the default gateway for the 192.168.10.0 network". Should not hosts on its respective segment should point to gateways. For example, my PIX's outside address is 172.16.10.1/24 and inside is 192.168.10.1/24. Hosts on each network should simply points to their own segment's gateways.

2) Since there is no public address pool for NAT translations, should I simply use my internal segment 192.168.10.0/24 for outside global transtation.

Example,

global (outside) 1 192.168.10.0

nat (inside) 1 192.168.10.0

Kind regards,

Ali

tvanginneken · ‎02-28-2003

Hi,

sorry for the confusion :-)

What you are telling here is what I meant. Make sure that your hosts on the outside point to the pix for the 192.168.10.0 network.

Since you are using the static command with two times the same network as parameter, you should not use the global/nat command anymore. The static command has the same effect.

Kind Regards,

Tom