NAT/PAT for PIX 501 ain't happenin !!!!

[FWHATER]

I configured nat using nat (inside) 1 10.100.100.0 255.255.255.0 and pat using global (outside) 1 interface.
The firewall reaches the internet fine, but my hosts on the inside can't. Any suggestions ?

 

[slyride]

Can you post your config, that looks like it should work, provided 10.100.100.0/24 is your inside network and you have the default route out set. Read the posting config faq first so you can post your config cleanly.

http://www.tek-tips.com/faqs.cfm?fid=3239

 

[FWHATER]

Here you go, thanx !!

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 15Rw3oNAQ0RnJh5A encrypted
passwd 15Rw3oNAQ0RnJh5A encrypted
hostname Fakepixadmin
domain-name melodik.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.100.3 Checkpoint
name 10.100.100.1 Fakepixadmin
access-list inside_access_in permit ip host Checkpoint host 68.196.197.235
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside Fakepixadmin 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Checkpoint 255.255.255.255 inside
pdm location 68.196.197.235 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (inside) 4 Checkpoint-10.100.100.5
static (inside,outside) interface Checkpoint netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Checkpoint 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username Mikhail password ZDqjhX9RgPdeF9um encrypted privilege 15
terminal width 80
Cryptochecksum:3122326621f1704a8947042d376d18a3
: end

 

[dopehead]

From your config it seems you did not configure ehat you said. The nat statement is not even in there. Your global is wrong, should be global (outside) not global (inside)
you also have an access list only allowing one host to communicate with one address on the internet, are you sure this config is the one you are talking about ?
The static nat you created for the host called checkpoint uses the address of the outside, this does not work if you also wan't everyone else to be translated to that same address, you should do port translation like this instead :
"static (inside,outside) tcp interface 25 Checkpoint 25 netmask 255.255.255.255" if you wan't something like mail to be translated into your server on the inside.


config commands should according to your info look something like this :

global (outside) 1 interface
nat (inside) 1 10.100.100.0 255.255.255.0

and then remove :

no global (inside) 4 Checkpoint-10.100.100.5
no static (inside,outside) interface Checkpoint netmask 255.255.255.255 0 0
no access-group inside_access_in in interface inside

and do a "clear xlate".



Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[FWHATER]

You're right. The previous config was out of sheer frustration. This is the config I was talking about.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 15Rw3oNAQ0RnJh5A encrypted
passwd 15Rw3oNAQ0RnJh5A encrypted
hostname Pixaholic
domain-name my.privaddress.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.100.0 255.255.255.0 inside
telnet 0.0.0.20 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:582aee243f9fe9b0a3e1030addce86a5
: end

As I said earlier, the fw can ping dns on the internet and my internal addresses, but the inside clients get as far as the inside interface and no further.

Thanx.

 

[baddos]

Well... Your FW is probably blocking inbound ICMP echo-reply.

 

[LloydSev]

Why don't you try going to a webpage, instead of using ping as the measuring stick?

The firewall blocks all incoming ping replies by default.

Also, make sure your internal hosts have the PIX set as their default gateway.

Computer/Network Technician
CCNA

 

[FWHATER]

I was just told that this might work, instead of the current config:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Does this look right ?

BTW, the hosts have the inside interface set as the GW.

 

[LloydSev]

that setup uses the outside interface ip as the PAT IP.. and then NATs everything on the inside interface.

So if that's what you want it to do, then yes that would work.

Computer/Network Technician
CCNA

 

[dayhawk]

is it just me, or is he missing the route statement as well?

 

[LloydSev]

You're right.. he is missing his route statement.

route outside 0.0.0.0 0.0.0.0 <default gateway for PIX> 1

Computer/Network Technician
CCNA

 

[FWHATER]

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 did the trick. Thanx, everybody !!!

 

[baddos]

He isn't missing the route statement because he is using DHCP for his outside IP.

ip address outside dhcp setroute

 

[FWHATER]

Correct Baddos. I received a conflict error when trying to invoke the route statement that was suggested I use.