03-10-2002 02:10 PM - edited 02-20-2020 09:59 PM
Hello,
I am probably missing some finer point of either NAT or routing here. Here's the setup :
(Internet)---T1---(1601)---192.168.1.0/24---(pix)---172.16.1.0/24---(3com Netbuilder II router)---10.x.x.x/16 customer subnets
Here is the problem: look at the config's below, notice I have a bunch of static NAT maps to 10.x.x.x machines that are servers for the customer. There is also one map to 172.16.1.2 which is to give telent access to the netbuilder from outside.
From the 1601, you cannot ping the 172.16.1.2 address at all. You also can't ping about 5 of 10.x.x.x hosts in the static maps.
All the static maps are allowed through the PIX urestricted. From the PIX, you can ping any of those static maps fine, including the netbuilder 172.16.1.2 interface.
I chose to put all the NAT on the 1601, was this a bad move ? Why can only some of the addresses be reached from the 1601 ??
Thanks for your help - Patrick
(1601)#wr t
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname (deleted)
!
enable secret (deleted)
enable password (deleted)
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address (T1 public point to point #2) 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
mtu 4500
ip address (T1 point to point public ip #2) 255.255.255.252
no ip directed-broadcast
ip nat outside
encapsulation ppp
!
ip nat pool patip (public #1) (public #1) netmask 255.255.255.240
ip nat inside source list 1 pool patip overload
ip nat inside source static 10.180.0.40 (public #2)
ip nat inside source static 10.170.0.18 (public #4)
ip nat inside source static 10.170.0.2 (public #5)
ip nat inside source static 10.170.0.27 (public #3)
ip nat inside source static 10.170.0.7 (public #7)
ip nat inside source static 10.170.0.8 (public #9)
ip nat inside source static 10.170.0.29 (public #10)
ip nat inside source static 10.170.0.251 (public # 12)
ip nat inside source static 10.170.0.252 (public #13)
ip nat inside source static 10.170.0.9 (public #14)
ip nat inside source static 10.170.0.190 (public #15)
ip nat inside source static 10.140.0.251 (public #6)
ip nat inside source static 172.16.1.2 (public #11)
ip classless
ip route 0.0.0.0 0.0.0.0 (t1 public ip point to point #1)
ip route 10.0.0.0 255.0.0.0 192.168.1.2
ip route 172.16.1.0 255.255.255.0 192.168.1.2
!
access-list 1 deny 10.170.0.190
access-list 1 deny 10.170.0.251
access-list 1 deny 10.170.0.252
access-list 1 deny 10.140.0.251
access-list 1 deny 10.180.0.40
access-list 1 deny 10.170.0.2
access-list 1 deny 10.170.0.7
access-list 1 deny 10.170.0.8
access-list 1 deny 10.170.0.9
access-list 1 deny 10.170.0.18
access-list 1 deny 10.170.0.27
access-list 1 deny 10.170.0.29
access-list 1 deny 172.16.1.2
access-list 1 permit any
!
line con 0
transport input none
line 1
line vty 0 4
password (deleted)
login
!
end
(1601)#pixfirewall(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password (deleted) encrypted
passwd (deleted) encrypted
hostname pixfirewall
domain-name customer
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit ip any host 10.170.0.2
access-list acl_in permit ip any host 10.170.0.8
access-list acl_in permit ip any host 10.180.0.40
access-list acl_in permit ip any host 10.170.0.18
access-list acl_in permit ip any host 10.170.0.27
access-list acl_in permit ip any host 10.170.0.7
access-list acl_in permit ip any host 10.170.0.29
access-list acl_in permit ip any host 10.170.0.251
access-list acl_in permit ip any host 10.170.0.252
access-list acl_in permit ip any host 10.170.0.9
access-list acl_in permit ip any host 10.170.0.190
access-list acl_in permit ip any host 10.140.0.251
access-list acl_in permit ip any host 172.16.1.2
access-list acl_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.0.0.0 255.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:2cd52cc75a5cc5c22240c30fea0fbd78
: end
[OK]
pixfirewall(config)#
03-10-2002 04:07 PM
typo in copying 1601 config: ethernet0 interface should read:ip address 192.168.1.1 255.255.255.0
NOT : ip address (T1 public point to point #2) 192.168.1.1 255.255.255.0
sorry !
03-11-2002 11:13 AM
In the PIX, a "global" or "static" command is needed to make the inside hosts (10.x.x.x) visible outside. I'm not sure how is it possible to ping any 10.x.x.x host at all without proper global/static translation by the PIX.
Anyway, try using a static command for one host (preferrably a host that can not be pinged)e.g:
static (inside,outside) 10.170.0.190 10.170.0.190 netmask 255.255.255.255 0 0
Regards ...
03-11-2002 03:50 PM
yes, I follow what you are saying, what I ended up doing was taking the NAT off of the 1601 and moving it over to the PIX, with the appropriate global/static(inside,outside)maps.Everything worked fine after that. I would like to know, however, why I could ping some of the 10.x.x.x hosts from the 1601, that were mapped in the original 1601 config above, and not others ? If anyone has a definitive answer, please let me know. I would like to know for the sake of argument how it could be done if you chose to not do NAT on the PIX to private addresses behind the PIX.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: