Solved: Re: pix vpn public dmz - Page 2

durale1789 · ‎05-10-2007

Hi,

i d like to establish a vpn from a pix firewall 515 and pos version

7.0(5) with a public dmz and nat translation.

inside: 10.5.10.0/24

outside: 1.1.1.1/27 (public range)

dmz: 2.2.2.2/27 (public range)

remote inside network:192.168.20.0/24

So my encryption domain must be : 2.2.2.3/32 -- 192.168.20.0/24

ad i ve got a nat rule which is:

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

so basically i want to translate the connections coming from 2.2.2.3 to

10.5.10.28

the vpn is setup correctly and established both sides but the nat rule

doesn t work with the vpn.

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:2.2.2.3/22 (2.2.2.3/22)

but i can t see any traffic on the server 10.5.10.28, i should see instead:

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)

any help would be great !

Regards,

durale

durale1789 · ‎05-10-2007

i got your point ! thank u again for this explanation.

Now an other question comes into my mind: if i want to use this logical ip address 2.2.2.3 accessible via dmz.

if from Internet i do a simple ping into 2.2.2.3 . it fails. the packet doesn t even come through the pix.

so do i need to specify:

global (dmz) 1 2.2.2.3 255.255.255.255

and then maybe something like that:

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Alexandre

Jon Marshall · ‎05-10-2007

Hi Alexandre

Could you just clarify what you mean by accessible from the DMZ ?

If you mean without a VPN then the public IP address eg 2.2.2.3 must be routeable to your pix. If a ping is not even reaching the pix then either the address range is not being routed to your pix or something is blocking the ping further up.

Jon

durale1789 · ‎05-11-2007

yes jon i meant without vpn. i can reach 2.2.2.2 which is the physical dmz pix interface. So that mean my routing is ok. do i need any other nat rules or any other access-list? 2.2.2.3 is logical ip address and maybe that the reason i can t ping it without vpn becaue the logical is not routable ?

Alex

Jon Marshall · ‎05-11-2007

Hi Alex

No you should still be able to ping the IP address from the outside. The logical is still a routable address.

If you ping 2.2.2.3 on the internet the device pinging has no idea that 2.2.2.3 is not tied to a physical address but is used in NAT.

When you ping 2.2.2.3 you do still want the ping to go through to 10.5.10.28 right ?

Have you tried doing a traceroute to 2.2.2.3. This would show you if the packets are getting routed to the pix - the last hop should be the router in front of your pix.

If the routing to the 2.2.2.x subnet is working from the internet then there must be an issue with your config.

Perhaps you could post a copy of the config of your firewall minus any sensitive information.

HTH

Jon

durale1789 · ‎05-11-2007

yes i still want to nat 2.2.2.3 to 10.5.10.28

the thing is about routing first.

my default route is 1.1.1.1;

route outside 0.0.0.0 0.0.0.0 1.1.1.1

and 1.1.1.1 is routable throught internet and knows about routing 2.2.2.2/27

so let s take an example

i ping from internet with my public ip address 8.8.8.8 to 2.2.2.2 (dmz physical interface)

then i got the message from pix saying:

No route to 8.8.8.8 from 2.2.2.2

but then if i add the static route, it works and i can ping from 8.8.8.8 to 2.2.2.2:

route dmz 8.8.8.8/32 2.2.2.4/27 (2.2.2.4 is dmz route next router in this range like 1.1.1.1)

however even if this route is in place i still can t ping 2.2.2.3 (virtual one)

secondly why do i need to add this static route?

regards

alexandre

Jon Marshall · ‎05-11-2007

Alex

You've got me a bit confused now :-).

What is the default route on your pix.

Could you draw a topoloogy plus send some configs because i don't follow the route you added to the pix ie 8.8.8.8/23 2.2.2.4/24.

Is 2.2.2.4 the DMZ interface.

Jon