Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Easy NAT question 1

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
US
Probably, anyway...

I am getting back into building labs with my PIX520 dinosaur with 6.3 on it. I cannot get it to translate inside addresses to an outside address for the life of me. I have a few routers attached to the pix outside interface, like this...

PC1---PIX---R1---R2---R3---PC2

I can ping the outside address on the PIX from PC2, so routing is not an issue. I can ping all the way to R3 from the PIX as well. I cannot ping from the inside (PC1) to the outside interface or anywhere else. I did a debug ICMP, and that is here

PIX(config)# 55: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=14336 length=40

56: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

57: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=14592 length=40

58: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

59: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=14848 length=40

60: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

61: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=15104 length=40

62: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

63: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=15360 length=40

64: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

65: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=15616 length=40

66: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

67: ICMP echo-request from inside:10.1.1.2 to 11.1.1.2 ID=512 seq=15872 length=40

68: ICMP echo-request: translating inside:10.1.1.2 to outside:10.1.1.2

The R1 interface facing the PIX is 11.1.1.2, and the outside int of the PIX is 11.1.1.1
PC1 can ping the inside address of the PIX. Here is the config

PIX(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 mgmt security99

enable password w8xHKAPhmJ2QFL84 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping permit icmp 10.1.1.0 255.255.255.0 any echo-reply

access-list ping permit icmp 10.1.1.0 255.255.255.0 any time-exceeded

access-list ping permit icmp 10.1.1.0 255.255.255.0 any echo

access-list ping permit icmp 10.1.1.0 255.255.255.0 any unreachable

access-list NAT_OUT permit ip 11.1.1.0 255.255.255.248 any

access-list NAT_IN permit ip 10.1.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu mgmt 1500

ip address outside 11.1.1.1 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

no ip address intf2

no ip address intf3

ip address mgmt 192.168.69.55 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address mgmt

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group ping in interface inside

route outside 0.0.0.0 0.0.0.0 11.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.1.1.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username r00t password gmBe62bV3ETKY/fA encrypted privilege 15

terminal width 80

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

PIX(config)#

And here is sh xlate

PIX(config)# SHOW XLATE

1 in use, 1 most used

Global 10.1.1.2 Local 10.1.1.2

Isn't the PIX supposed to translate 10.1.1.0/24 addresses on the inside to what is on the outside interface (either 11.1.1.1 or anything in that range on the outside)? Or is NAT even my issue (just figured it is since the debugs show that it is translating to itself, the pc1 address that is...)...????

What gives? Thanks...

/



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Sort by date Sort by votes
add
fixup protocol icmp error

your ping acl should be applied to the outside interface not the inside and just fix the ip's.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I took the ping acl off to no avail. Will applying it to the outside allow me to ping from the INSIDE? I can already ping the outside interface---the inside is not getting NATted from the looks of it...

I will try those tomorrow. So CBAC is inspecting ICMP Error?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Yes, the ASA must inspect the pings to allow them back through. Also, the "error" part accounts for unreachable and time-out packets generated by routers along the way that have a different IP than the destination.

It should work without an ACL applied to any interface by default.

You have this
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
so it should be natting any inside addresses to 11.1.1.1.

??? I know you aren't a M$ fan but I can give you their $400/HR incident call answer - Reboot/Re-install. I'll leave my paypal account... :-D


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
That's the thing---it is not natting to 11.1.1.1

I will in fact reboot, and to prove the NAT deal, I will statically NAT TCP 3389 to the inside of the other end where R3 is and try and RDP from the PIX private network to the R3 private network.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
The debugs started showing good xlates, after I NATted to an acl defining the outside subnet, but pings still failed. I tried many combos of static NATs, etc., and different acls applied to inside, outside, and combinations (only out, only in, both, neither). Oh well...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Bump...

at least someoone tell me if it looks right...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Sorry, lots of work.
It does look right. Can you get any traffic to pass?

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Nope. I think something is wrong with the PIX...

Thanks.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
So you added the fixup, removed all ACLs (they aren't needed by default,)

How is the PC getting the IP? Static - are you sure about the masking?

I have to ask, are they in the right ports on the pix?



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Ha ha, I think, double checked that first (did that before with a site to site VPN...lol). The masking is correct, but I will double check everything else, as you have confirmed that it loks correct...what I think should be happening is what is supposed to be happening...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Rebuilt config (just nat, global and acl), then cleared xlates (this was the key!)...

config...

PIX(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd w8xHKAPhmJ2QFL84 encrypted

hostname PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list p[ing permit icmp any any echo

access-list p[ing permit icmp any any echo-reply

access-list p[ing permit icmp any any time-exceeded

access-list p[ing permit icmp any any unreachable

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

ip address outside 11.1.1.1 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

access-group p[ing in interface outside

access-group p[ing in interface inside

route outside 0.0.0.0 0.0.0.0 11.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

username r00t password gmBe62bV3ETKY/fA encrypted privilege 15

terminal width 80

Cryptochecksum:7ee6056d5c733145e6a004f00b9af50d

: end

PIX(config)#

You need the acl inbound on the outside interface (maybe inside as well), but in a live environment, I'd get more specific. Thanks Brent.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Sorry about the clear xlates, didn't even think on that one.

Very odd about the ACL though, I have
access-list outside-to-inside permit tcp any host externalip eq 3389 log
access-list outside-to-inside deny ip any any log
as the only ACL and with the fixup and pings go from inside to outside.

Just to humor me, take off the ACL and add the
fixup prot icmp error
and see if it works. Oh, clear the xlates. :)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I forgot to add that back in...good point. Lost power and never did a wr...

I will get back to you today about that...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Nope---removed the acl and simply added

fixup prot icmp error

and no dice. I then created

access-list p permit icmp any any
access-group p in int in
access-group p in int out

Then pings succeeded, and only then.

There must be a ton of bugs with 6.3 PIX code...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
628
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
583
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
112
steve777777
steve777777
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
123
ChrisHirst
ChrisHirst
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
81
dgoradia
dgoradia

Part and Inventory Search

Sponsor

Back
Top