PIX 515E not allowing NAT translations on local public subnet
Hello, I'm in the process of closing a big hole my predecessor left for me. I maintain a small school district's network that also provides Internet access to our local police. The initial setup was this:
Cisco 2800 Router (provided by ISP, non-configurable) as x.x.x.254 on our Class C.
SOHO hub (don't ask)
Two things, the outside if (x.x.x.250) of the PIX, which links to the primary VLAN (10.1.0.0/16) on the inside if, and a VLAN that the police were already hooked up to (10.7.0.0/16). Already the hole is evident; there's a complete bypass of the PIX available to anyone who can see it.
My first change was to remove the SOHO hub. I created another VLAN for the PIX, 2800, and the police dept. Now my problem stems from the police dept.'s need to get to webmail, as we provide their email accounts as well. The webmail system sits inside the PIX, with a static map between it's private IP and public IP (x.x.x.4), and the necessary ACLs to allow traffic in over port 80. The police dept.'s router/vpn box (x.x.x.100) sits in the same VLAN, subnet, etc., and can see the ISP's router with no problems, gets any Internet traffic they want, and the VPN tunnels are up and running. DNS resolves appropriately, but their systems will NOT go to ANY of my static NAT mappings. x.x.x.3, .4, .5, & .8 are all valid IPs used by the PIX to route traffic in, and from anywhere but the police dept., they work. There is no mention of x.x.x.100 in any of the PIX config, not in the global mappings for dynamic access, not in ACLs.
Re: PIX 515E not allowing NAT translations on local public subne
OK. I understand now that NAT translations happen after ACLs are passed. That still does not resolve the issue. If I type the public IP address of my webmail server (x.x.x.4) from my home computer (y.y.y.180), I get to my webmail server. If I attach a system to the same subnet as the outside address of the PIX (the PIX is x.x.x.250, the test system is x.x.x.252) and attempt to access the webmail system (x.x.x.4), it times out. I put a static route in my test system for x.x.x.4, rebooted, no luck. I tested another address (x.x.x.5, my webserver) without said static route, no luck. I tried adding an ACL to the PIX to allow ALL ip traffic from the test system (x.x.x.252), still no luck. Any other thoughts?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...