Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX515E: NAT 0 Trouble

Cisco PIX Firewall Version 6.3(3)

nameif eth0 outside security 0 <x.x.x.x/24>

nameif eth1 inside security 100 <y.y.y.y/24>

nameif eth2 dmz security 40 <z.z.z.z/24>

nat (inside) 0 access-list no_nat

nat (inside) 5 access-list partner 0 0

nat (inside) 1 y.y.y.0 255.255.255.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 x.x.x.10-x.x.x.125

global (outside) 1 x.x.x.126

global (dmz) 5 z.z.z.200

route inside a.a.0.0 255.255.0.0 y.y.y.1 (via local router - inside)

route inside a.b.0.0 255.255.0.0 y.y.y.1 (via WAN Link - inside)

route dmz v.v.v.0 255.255.255.0 z.z.z1 (directly connected - dmz)

access-list no_nat line 1 permit ip y.y.y.0 255.255.255.0 z.z.z.0 255.255.255.0

access-list no_nat line 2 permit ip a.a.0.0 255.255.0.0 z.z.z.0 255.255.255.0

access-list no_nat line 3 permit ip a.b.0.0 255.255.0.0 z.z.z.0 255.255.255.0

access-list partner line 1 permit ip a.a.0.0 255.255.0.0 v.v.v.0 255.255.255.0

access-list partner line 2 permit ip a.b.0.0 255.255.0.0 v.v.v.0 255.255.255.0

static (dmz,outside) x.x.x.100 z.z.z.100 netmask 255.255.255.255

No access-lists applied to the inside interface

When connecting from a.a.0.0 net to v.v.v.0 net natting occurs as expected (Good)

When connecting from a.b.0.0 net to v.v.v.0 net natting occurs as expected (Good)

When connecting from y.y.y.0 net to z.z.z.0 net no natting occurs as expected (Good)

When connecting from a.a.0.0 net to z.z.z.0 net no natting occurs as expected (Good)

When connecting from a.b.0.0 net to z.z.z.0 net no natting does not occur as expected. When attempting this connection I get the following error messages in logfile (Not Good):

%PIX-6-302013: Built outbound TCP connection XXXXX for dmz:z.z.z.100/<dport> (z.z.z.100/<dport>) to inside:a.b.0.100/<sport> (a.b.0.100/<sport>)

%PIX-3-106011: Deny inbound (No xlate) tcp src inside:z.z.z.100/<dport> dst inside:a.b.0.100/<sport>

%PIX-6-302014: Teardown TCP connection XXXXX for dmz:z.z.z.100/<dport> to inside:a.b.0.100/<sport> duration 0:02:01 bytes 0 SYN Timeout

What is questionable about this to me is that on the "Deny inbound" message the src and dst are listed as inside, when I expect to see the src defined as dmz and the dst as inside. While the other related messages seem to be correct.

In any case, I cannot establish connections from between these two networks, but the a.a.0.0 network works flawlessly.

tcpdump shows the traffic reaching the correct network, but it seems that the 3WH never completes (hence the SYN Tiemout).

Any ideas?

TM

2 REPLIES
Cisco Employee

Re: PIX515E: NAT 0 Trouble

Hi,

What do you mean by this?

"When connecting from a.b.0.0 net to z.z.z.0 net no natting does not occur as expected."

Do you mean no natting does occur as expected? I guess so!

From these messages

%PIX-6-302013: Built outbound TCP connection XXXXX for dmz:z.z.z.100/ (z.z.z.100/) to inside:a.b.0.100/ (a.b.0.100/)

%PIX-3-106011: Deny inbound (No xlate) tcp src inside:z.z.z.100/ dst inside:a.b.0.100/

%PIX-6-302014: Teardown TCP connection XXXXX for dmz:z.z.z.100/ to inside:a.b.0.100/ duration 0:02:01 bytes 0 SYN Timeout

It seems to me some routing issue! Why the packets from zzz network are coming in from inside interface?

would you double check?

Thanks

NK

New Member

Re: PIX515E: NAT 0 Trouble

Nat 0 forces nat to not occur for ttraffic defines by the ACL.

You are correct. IT turned out to be a routing issue. The next hop internal router did not have the correct routes, which was causing the traffic to get re-routed to the PIX. The PIX being the default router for the next hop internal router.

Thanks,

TM

104
Views
0
Helpful
2
Replies