Hi all,
I am currently wanting the pix to perform all natting without having to perform nat on the router. Basically I don't want to double nat and at this point there doesn't seem to be a choice. I CAN get out if nat is enabled on the router but not when it's disabled. Any idea what I may be doing incorrectly? My router config and pix config are posted below. When doing traces, no matter where they are sourced on the router, they basically go nowhere. I can ping out from the pix to 4.2.2.2 just fine btw.
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
no ip dhcp conflict logging
!
no ip bootp server
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all voice
match access-group 105
!
!
policy-map policy1
class voice
priority 96
class class-default
fair-queue
!
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
!
interface Multilink1
description Multilink bundle to Site_B
ip address 172.16.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
description Multilink bundle to Site_B
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1
description Multilink bundle to Site_B
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface FastEthernet1/0
description link to pix
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no keepalive
no cdp enable
service-policy output policy1
!
interface FastEthernet2/0
description SITE_A_LAN
ip address 10.0.100.1 255.255.255.0
ip helper-address 10.0.100.4
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
!
!
interface Serial3/0
ip address 172.16.3.1 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
!
interface Serial3/1
no ip address
shutdown
!
router eigrp 210
redistribute rip
network 10.0.0.0
network 68.0.0.0
network 172.16.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
!
no ip http server
no ip http secure-server
ip classless
!
ip route 0.0.0.0 0.0.0.0 f1/0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
-------------------------------------
pix501 config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname PIX
domain-name PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
pager lines 24
logging on
logging trap errors
logging history errors
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.252 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 68.38.72.1 1
route inside 10.0.0.0 255.255.248.0 192.168.1.1 1
route inside 172.16.0.0 255.255.248.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.3-192.168.1.10 inside
dhcpd dns 68.87.64.146
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am currently wanting the pix to perform all natting without having to perform nat on the router. Basically I don't want to double nat and at this point there doesn't seem to be a choice. I CAN get out if nat is enabled on the router but not when it's disabled. Any idea what I may be doing incorrectly? My router config and pix config are posted below. When doing traces, no matter where they are sourced on the router, they basically go nowhere. I can ping out from the pix to 4.2.2.2 just fine btw.
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
no ip dhcp conflict logging
!
no ip bootp server
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all voice
match access-group 105
!
!
policy-map policy1
class voice
priority 96
class class-default
fair-queue
!
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
!
interface Multilink1
description Multilink bundle to Site_B
ip address 172.16.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
description Multilink bundle to Site_B
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1
description Multilink bundle to Site_B
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface FastEthernet1/0
description link to pix
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no keepalive
no cdp enable
service-policy output policy1
!
interface FastEthernet2/0
description SITE_A_LAN
ip address 10.0.100.1 255.255.255.0
ip helper-address 10.0.100.4
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
!
!
interface Serial3/0
ip address 172.16.3.1 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
no keepalive
clock rate 4000000
!
interface Serial3/1
no ip address
shutdown
!
router eigrp 210
redistribute rip
network 10.0.0.0
network 68.0.0.0
network 172.16.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
!
no ip http server
no ip http secure-server
ip classless
!
ip route 0.0.0.0 0.0.0.0 f1/0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
-------------------------------------
pix501 config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname PIX
domain-name PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
pager lines 24
logging on
logging trap errors
logging history errors
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.252 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 68.38.72.1 1
route inside 10.0.0.0 255.255.248.0 192.168.1.1 1
route inside 172.16.0.0 255.255.248.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.3-192.168.1.10 inside
dhcpd dns 68.87.64.146
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx