cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
458
Views
3
Helpful
8
Replies

PIX & static

ccrespoh
Level 1
Level 1

Hi all,

I've got a PIX (version 6.2 (2) ) and it happens one thing I don't understand. This PIX have got 4 interfaces (outside, inside, DMZ and another one).

In the inside zone there's some servers with private ip addresses. Users from the inside and the 'another one' zone access to the private ip addresses of the servers. And there's a rule to make nat for the outside conections to the servers:

p.ex. static (outside, inside) 195.134.134.234 s5500 netmask 255.255.255.255 0 0

There's one rule for each server.

My problem: some times people can access to the servers and connect to the offered services and some times they can't. But the configuration is the same and I don't make any changes!!

Often, when I know nobody can access, I "fix" the problem with a 'clear xlate' command. But, the problem is only solved temporary so it happens again after some time.

Can anyone help me? Why does it happen? what may I do to fix it?

Thanks in advance.

8 Replies 8

l.mourits
Level 5
Level 5

Hard to say with the information provided....

Lucky guess would be that you have an overlapping nat command (could be nat or static or both), but I would have to see all nat, global and static commands to see if this is case. You could post all nat, global and static command and I can take a look at it, if you want.

Kind regards,

Leo

Hi again,

Well, there's one nat rule 'nat (inside) 0 192.168.64.0 255.255.248.0'.

and...

static (inside,DMZ) s5500 s5500 netmask 255.255.255.255 0 0

static (inside,rem) s5500 s5500 netmask 255.255.255.255 0 0

static (inside,outside) 195.144.125.35 s5500 netmask 255.255.255.255 0 0

I'd thought add one nat rule 'nat (inside) 1 s5500 255.255.255.255 0 0' and one global 'global (outside) 1 195.144.125.35', but I'm not sure, because I don't know how all these rules are working.

If you need more info, ask me.

Thanks in advance.

It's necessary to say the ip address of s5500. It's 192.168.64.62, I mean, the nat rule affects to it.

Thanks.

Hi,

Let's think about what is happening.

If a packet arrives at the outside interface and is detinated for s5500, then it sees the:

static (inside,outside) 195.144.125.35 s5500 netmask 255.255.255.255 0 0

So, it is translated, and all retrning traffic will have an entry within the xlate table.

But what happens when the s5500 initiates any session, to the dzm or outside, then this traffic hits the:

nat (inside) 0 192.168.64.0 255.255.248.0

So, it is not translated and this is also put in xlate table.

The command which you gave is one solution to prevent this wrong entries within the xlate table.

If you use this command, your problems should be gone indeed.

You could also achieve it with nat 0 and bound an ACL to nat 0, but this is only needed if you do not want the s5500 to be able to initiate session to the outside or dmz interfaces.

Hope this helps.

Leo

Hi,

Thanks for yout explanations. I thought something like what you tell me, but I'm not really sure.

The 'clear xlate' solves the problem but I've got the problem again in a short time and I can't be typping the command every 5 minutes. Do you know how I'd fix the problem forever?

I need s5500 was able to initiate session and it can be accessed from the outside :-(

Thanks in advance.

Hi,

Here's how I would configure this:

static (inside,outside) 195.144.125.35 s5500 netmask 255.255.255.255

nat (inside) 0 access-list nonat

access-list nonat deny ip s5500 any

access-list nonat permit ip any any

nat (inside) 1 s5500

global (outside) 1 195.144.125.35

With this config the following happens when the s5500 initiates a session from inside:

Packet arrives at inside interface.

Since nat rules are performed in order of instance, the nat 0 rule is first used. Nat 0 is bound to ACL nonat, and this ACL does prevent all packets from being translated which are permitted within the ACL. Since the source address of s5500 is not permitted within the ACL, the next nat rule is used. Nat (inside) 1 points to using the global (outside) 1 as translation rule.

This should work and solve your problem.

Kind Regards,

Leo

Hi,

I did what you recommended to me. It seems it works fine. Nevertheless, I'm going to monitoring it for more time. I need to be absolutely sure.

Thanks a lot.

Hi,

After a probe time, the pix presents the same problem, although it takes more time to fall in "error".

I've put the rules you said me, as I told you, and it works better, but not absolutely ok.

Any idea?

Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: