04-07-2003 11:22 AM - edited 02-20-2020 10:40 PM
I am trying to configure a PIX 515e to allow a "stub" network to access the Internet via the PIX. The "stub" network is across a WAN connection using a private IP. I can ping the firewall inside address from a host on the stub network, but can't get through the firewall.
My main site can access the Internet via the PIX. Hosts are 192.168.39.x/255.255.255.0. PIX inside is 192.168.39.1.
The "stub" network is 192.168.40.x/255.255.255.0
I am using 192.168.41.x/255.255.255.0 are the addressing on the serial side of the WAN routers connecting the main site to the stub.
Any host on 192.168.40.x should be able to get to the Internet via the PIX at 192.168.39.1.
Here's an excerpt of my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address inside 192.168.39.1 255.255.255.0
global (outside) 30 interface
name 192.168.40.0 CRS
nat (inside) 30 192.168.39.0 255.255.255.0 0 0
nat (inside) 30 CRS 255.255.255.0 0 0
nat (inside) 30 192.168.41.0 255.255.255.0 0 0
route inside CRS 255.255.255.0 192.168.39.10 2
route inside 192.168.41.0 255.255.255.0 192.168.39.10 1
I can ping from the PIX inside int to the host at 40.x, and from the host to the PIX.
Any ideas?
Thanks!
JMX
Solved! Go to Solution.
04-07-2003 11:53 AM
Hi,
try using the nat command with the real network instead of the name 'CRS'.
nat (inside) 30 192.168.40.0 255.255.255.0
Does the logging show anything?
To enable logging to a syslog server use the following commands:
logging host syslogserver_ip
logging trap 7
logging on
Kind Regards,
Tom
04-08-2003 03:53 AM
How does the WAN traffic show up at the PIX? If it is coming from 192.168.40.x, there is no NAT statement allowing that address range. Try adding:
nat (inside) 30 192.168.40.0 255.255.255.0 0 0
You may also have to add a static route for this network.
04-10-2003 11:13 PM
Hi,
try taking a capture of the traffic at the inside interface of the PIX to see is the webtraffic is actually arriving at the PIX.
You can do this using this command (or use an external sniffer):
capture insidecap interface inside
Once the command is in place, you can use your webbrowers and go to
https://
On that URL (no username and pw=enable password) you will see all the packets that arrive at your inside interface of the pix.
Make sure that the https-server is running on the pix (http server enable) and that you have https access to the pix (http
Regards,
Tom
04-07-2003 11:53 AM
Hi,
try using the nat command with the real network instead of the name 'CRS'.
nat (inside) 30 192.168.40.0 255.255.255.0
Does the logging show anything?
To enable logging to a syslog server use the following commands:
logging host syslogserver_ip
logging trap 7
logging on
Kind Regards,
Tom
04-08-2003 11:48 AM
Thanks for the response!
I removed the "CRS" name & reapplied the nat statement as you suggested. I also enabled logging.
The logging does not show any traffic from 192.168.40.x or 192.168.41.x when I try to access the Internet from 192.168.40.13. I am able to ping from 192.168.40.1 to the PIX inside int at 192.168.39.1.
Any ideas? Thanks again!
04-10-2003 11:13 PM
Hi,
try taking a capture of the traffic at the inside interface of the PIX to see is the webtraffic is actually arriving at the PIX.
You can do this using this command (or use an external sniffer):
capture insidecap interface inside
Once the command is in place, you can use your webbrowers and go to
https://
On that URL (no username and pw=enable password) you will see all the packets that arrive at your inside interface of the pix.
Make sure that the https-server is running on the pix (http server enable) and that you have https access to the pix (http
Regards,
Tom
04-11-2003 07:57 AM
Thanks for the idea - I was able to see that no traffic was getting to the PIX...turns out I did not have a default route set in the stub routers....duh!
Thanks again!
04-08-2003 03:53 AM
How does the WAN traffic show up at the PIX? If it is coming from 192.168.40.x, there is no NAT statement allowing that address range. Try adding:
nat (inside) 30 192.168.40.0 255.255.255.0 0 0
You may also have to add a static route for this network.
04-08-2003 11:51 AM
Hello & thanks for the reponse! Actually, I do have that NAT rule you mention, but I had named the subnet "CRS". I removed the name & re-applied the NAT rule so that it matches what you wrote exactly.
The syslog does not indicate any traffic showing up from the 40.x subnet. I do have a static route in the PIX:
route outside 0.0.0.0 0.0.0.0 162.39.211.65 1
route inside 192.168.40.0 255.255.255.0 192.168.39.10 2
route inside 192.168.41.0 255.255.255.0 192.168.39.10 1
Any idea what I'm missing?
Thanks!
Kelly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide