Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
4
Helpful
6
Replies

Stub network via PIX

Go to solution
jmx2020
Level 1
Level 1

‎04-07-2003 11:22 AM - edited ‎02-20-2020 10:40 PM

I am trying to configure a PIX 515e to allow a "stub" network to access the Internet via the PIX. The "stub" network is across a WAN connection using a private IP. I can ping the firewall inside address from a host on the stub network, but can't get through the firewall.

My main site can access the Internet via the PIX. Hosts are 192.168.39.x/255.255.255.0. PIX inside is 192.168.39.1.

The "stub" network is 192.168.40.x/255.255.255.0

I am using 192.168.41.x/255.255.255.0 are the addressing on the serial side of the WAN routers connecting the main site to the stub.

Any host on 192.168.40.x should be able to get to the Internet via the PIX at 192.168.39.1.

Here's an excerpt of my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address inside 192.168.39.1 255.255.255.0

global (outside) 30 interface

name 192.168.40.0 CRS

nat (inside) 30 192.168.39.0 255.255.255.0 0 0

nat (inside) 30 CRS 255.255.255.0 0 0

nat (inside) 30 192.168.41.0 255.255.255.0 0 0

route inside CRS 255.255.255.0 192.168.39.10 2

route inside 192.168.41.0 255.255.255.0 192.168.39.10 1

I can ping from the PIX inside int to the host at 40.x, and from the host to the PIX.

Any ideas?

Thanks!

JMX

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
tvanginneken
Level 4
Level 4

‎04-07-2003 11:53 AM

Hi,

try using the nat command with the real network instead of the name 'CRS'.

nat (inside) 30 192.168.40.0 255.255.255.0

Does the logging show anything?

To enable logging to a syslog server use the following commands:

logging host syslogserver_ip

logging trap 7

logging on

Kind Regards,

Tom

View solution in original post

0 Helpful

Go to solution
wolfrikk
Level 3
Level 3

‎04-08-2003 03:53 AM

How does the WAN traffic show up at the PIX? If it is coming from 192.168.40.x, there is no NAT statement allowing that address range. Try adding:

nat (inside) 30 192.168.40.0 255.255.255.0 0 0

You may also have to add a static route for this network.

View solution in original post

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to jmx2020

‎04-10-2003 11:13 PM

Hi,

try taking a capture of the traffic at the inside interface of the PIX to see is the webtraffic is actually arriving at the PIX.

You can do this using this command (or use an external sniffer):

capture insidecap interface inside

Once the command is in place, you can use your webbrowers and go to

https:///capture/insidecap

On that URL (no username and pw=enable password) you will see all the packets that arrive at your inside interface of the pix.

Make sure that the https-server is running on the pix (http server enable) and that you have https access to the pix (http 255.255.255.255 inside)

Regards,

Tom

View solution in original post

6 Replies 6

Go to solution
tvanginneken
Level 4
Level 4

‎04-07-2003 11:53 AM

Hi,

try using the nat command with the real network instead of the name 'CRS'.

nat (inside) 30 192.168.40.0 255.255.255.0

Does the logging show anything?

To enable logging to a syslog server use the following commands:

logging host syslogserver_ip

logging trap 7

logging on

Kind Regards,

Tom

0 Helpful

Go to solution
jmx2020
Level 1
Level 1
In response to tvanginneken

‎04-08-2003 11:48 AM

Thanks for the response!

I removed the "CRS" name & reapplied the nat statement as you suggested. I also enabled logging.

The logging does not show any traffic from 192.168.40.x or 192.168.41.x when I try to access the Internet from 192.168.40.13. I am able to ping from 192.168.40.1 to the PIX inside int at 192.168.39.1.

Any ideas? Thanks again!

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to jmx2020

‎04-10-2003 11:13 PM

Hi,

try taking a capture of the traffic at the inside interface of the PIX to see is the webtraffic is actually arriving at the PIX.

You can do this using this command (or use an external sniffer):

capture insidecap interface inside

Once the command is in place, you can use your webbrowers and go to

https:///capture/insidecap

On that URL (no username and pw=enable password) you will see all the packets that arrive at your inside interface of the pix.

Make sure that the https-server is running on the pix (http server enable) and that you have https access to the pix (http 255.255.255.255 inside)

Regards,

Tom

Go to solution
jmx2020
Level 1
Level 1
In response to tvanginneken

‎04-11-2003 07:57 AM

Thanks for the idea - I was able to see that no traffic was getting to the PIX...turns out I did not have a default route set in the stub routers....duh!

Thanks again!

0 Helpful

Go to solution
wolfrikk
Level 3
Level 3

‎04-08-2003 03:53 AM

How does the WAN traffic show up at the PIX? If it is coming from 192.168.40.x, there is no NAT statement allowing that address range. Try adding:

nat (inside) 30 192.168.40.0 255.255.255.0 0 0

You may also have to add a static route for this network.

0 Helpful

Go to solution
jmx2020
Level 1
Level 1
In response to wolfrikk

‎04-08-2003 11:51 AM

Hello & thanks for the reponse! Actually, I do have that NAT rule you mention, but I had named the subnet "CRS". I removed the name & re-applied the NAT rule so that it matches what you wrote exactly.

The syslog does not indicate any traffic showing up from the 40.x subnet. I do have a static route in the PIX:

route outside 0.0.0.0 0.0.0.0 162.39.211.65 1

route inside 192.168.40.0 255.255.255.0 192.168.39.10 2

route inside 192.168.41.0 255.255.255.0 192.168.39.10 1

Any idea what I'm missing?

Thanks!

Kelly

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card