Edge firewall NAT can not access Internet 1

[shihlin]

Hi everyone, I trying to setup test lab that is consist an edge firewall, and our main firewall. This is a setup:

Un-secure network (192.168.254.x) <---> Cisco 515e (edge firewall) <---> Secure (main network - 10.x.x.x) <---> Cisco 520 (main) <---> Internet (Public IP)

On Cisco 515e I also configure it as DHCP server to issues IP for un-secure network and static NAT mapping for un-secure users to access into secure main network. In addition, I also open all the rules in Cisco 515e for incoming and outgoing traffic as testing purpose.
On Cisco 520 it had dynamic PAT configure for Secure (main network) users to access the Internet.

This is my problem, when I connect to Secure network, I am able to ping un-secure pc and public hosts. However, when I connect to un-secure network with dhcp address issued from Cisco 515e I can’t ping any of Internet hosts but I am able to ping the hosts in Secure network. Any suggestions or opinions are appreciate, many thanks,


Regards,

SL

 

[lgarner]

Are the unsecure systems NAT'd to secure addresses, or using their own addresses? If the latter, does the 520 include them in the dynamic NAT pool, and have a route back to them via the 515?

 

[shihlin]

Thanks for promptly reply. The un-secure systems are NAT to secure address. These secure address are working fine if connect to secure network.

* Un-secure 192.168.254.x <-- DHCP assign from 515e
* 515e static NAT per workstation. example: 192.168.254.40 <--> 10.10.10.40
* 520 dynamic NAT for Secure Network, exmpale: 10.10.10.x <--> 200.x.x.40

Also I am able to ping successfully from un-secure up-to 520’s inside interface. However anything beyond that i getting timeout.

Many thanks,


SL

 

[lgarner]

Try icmp debug and show xlate on the 520 to see what it's doing.

 

[shihlin]

In un-secure network:
I able to ping 520’s inside interface from the workstation (192.168.254.40):
838: ICMP echo request (len 32 id 3 seq 37121) 10.100.10.40 > 10.1.1.1
839: ICMP echo reply (len 32 id 3 seq 37121) 10.1.1.1 > 10.100.10.40
Ping yahoo.com 216.109.112.135
Request timed out
Show xlate | include 10.100:
Nothing diplay.

In secure network (10.100.10.x):
I able to ping 520’s inside interface and yahoo.com from the workstation (10.100.10.40):
010: ICMP echo request (len 32 id 3 seq 37633) 10.100.10.40 > 10.1.1.1
011: ICMP echo reply (len 32 id 3 seq 37633) 10.1.1.1 > 10.100.10.40
Ping yahoo.com 216.109.112.135:
958: ICMP echo-request from inside:10.100.10.40 to 216.109.112.135 ID=768 seq=14338 length=40
959: ICMP echo-request: translating inside:10.100.10.40/768 to outside:200.1.1.40/5
960: ICMP echo-reply from outside:216.109.112.135 to 200.1.1.40 ID=5 seq=14338 length=40
961: ICMP echo-reply: untranslating outside:200.1.1.40/5 to inside:10.100.10.40/768
Show xlate | include 10.100
PAT Global 200.1.1.40(9339) Local 10.100.10.40(3017)


regards,


SL

 

[shihlin]

Thanks, i figure it out. it was nat and route in 515e giving me the problem.

regards,


SL