11-25-2003 12:56 AM - edited 03-09-2019 05:39 AM
Cisco PIX Firewall Version 6.3(3)
nameif eth0 outside security 0 <x.x.x.x/24>
nameif eth1 inside security 100 <y.y.y.y/24>
nameif eth2 dmz security 40 <z.z.z.z/24>
nat (inside) 0 access-list no_nat
nat (inside) 5 access-list partner 0 0
nat (inside) 1 y.y.y.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
global (outside) 1 x.x.x.10-x.x.x.125
global (outside) 1 x.x.x.126
global (dmz) 5 z.z.z.200
route inside a.a.0.0 255.255.0.0 y.y.y.1 (via local router - inside)
route inside a.b.0.0 255.255.0.0 y.y.y.1 (via WAN Link - inside)
route dmz v.v.v.0 255.255.255.0 z.z.z1 (directly connected - dmz)
access-list no_nat line 1 permit ip y.y.y.0 255.255.255.0 z.z.z.0 255.255.255.0
access-list no_nat line 2 permit ip a.a.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list no_nat line 3 permit ip a.b.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list partner line 1 permit ip a.a.0.0 255.255.0.0 v.v.v.0 255.255.255.0
access-list partner line 2 permit ip a.b.0.0 255.255.0.0 v.v.v.0 255.255.255.0
static (dmz,outside) x.x.x.100 z.z.z.100 netmask 255.255.255.255
No access-lists applied to the inside interface
When connecting from a.a.0.0 net to v.v.v.0 net natting occurs as expected (Good)
When connecting from a.b.0.0 net to v.v.v.0 net natting occurs as expected (Good)
When connecting from y.y.y.0 net to z.z.z.0 net no natting occurs as expected (Good)
When connecting from a.a.0.0 net to z.z.z.0 net no natting occurs as expected (Good)
When connecting from a.b.0.0 net to z.z.z.0 net no natting does not occur as expected. When attempting this connection I get the following error messages in logfile (Not Good):
%PIX-6-302013: Built outbound TCP connection XXXXX for dmz:z.z.z.100/<dport> (z.z.z.100/<dport>) to inside:a.b.0.100/<sport> (a.b.0.100/<sport>)
%PIX-3-106011: Deny inbound (No xlate) tcp src inside:z.z.z.100/<dport> dst inside:a.b.0.100/<sport>
%PIX-6-302014: Teardown TCP connection XXXXX for dmz:z.z.z.100/<dport> to inside:a.b.0.100/<sport> duration 0:02:01 bytes 0 SYN Timeout
What is questionable about this to me is that on the "Deny inbound" message the src and dst are listed as inside, when I expect to see the src defined as dmz and the dst as inside. While the other related messages seem to be correct.
In any case, I cannot establish connections from between these two networks, but the a.a.0.0 network works flawlessly.
tcpdump shows the traffic reaching the correct network, but it seems that the 3WH never completes (hence the SYN Tiemout).
Any ideas?
TM
11-25-2003 08:25 PM
Hi,
What do you mean by this?
"When connecting from a.b.0.0 net to z.z.z.0 net no natting does not occur as expected."
Do you mean no natting does occur as expected? I guess so!
From these messages
%PIX-6-302013: Built outbound TCP connection XXXXX for dmz:z.z.z.100/
%PIX-3-106011: Deny inbound (No xlate) tcp src inside:z.z.z.100/
%PIX-6-302014: Teardown TCP connection XXXXX for dmz:z.z.z.100/
It seems to me some routing issue! Why the packets from zzz network are coming in from inside interface?
would you double check?
Thanks
NK
11-26-2003 09:10 AM
Nat 0 forces nat to not occur for ttraffic defines by the ACL.
You are correct. IT turned out to be a routing issue. The next hop internal router did not have the correct routes, which was causing the traffic to get re-routed to the PIX. The PIX being the default router for the next hop internal router.
Thanks,
TM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide