Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Nat-0, two interfaces, need help w/ two way connectivity

Status
Not open for further replies.
KentMi

KentMi

IS-IT--Management
Aug 18, 2002
2
US
Within my network I have a router (A) that has a link to another router (B) where subnets 1, 2, and 3 reside (nets 2 and 3 use private addressing but are routed within our organization). I want/need to insert a pix with two interfaces into the middle, and configured so as not to disturb “network configuration” (DNS, etc) at this point – folks want to make sure it works performance wise before they will allow reconfiguration in any substantial amount. So far I have had limited success. Here is the network configuration I tried:

The “outside” interface of the pix links to router A and the “inside” link to router B. On router A I have static routes for subnets 1,2, and 3 pointing to the pix outside interface. On the pix I have static routes for subnets 1,2, and 3 pointing to router B’s link that connects with the inside interface. And the configured default route for router B is the “inside” interface of the pix, the default route on the pix is router A’s interface.

In order to abide by the mandated requirements I chose to implement Nat 0 on the inside interface (using a “NAT 0” statement for each subnet), with an access-list permitting all ip (“any any”) on the outside interface. This worked for subnets 1 and 2 (a public and a private) but did not for subnet 3 (which uses a private address similar to subnet 2, but separated by subnet masking). Using a span port I can see packets destined for subnet 3 coming into the pix’s outside interface, but “using debug icmp trace” I don’t see any indication on the pix itself (though I do for pings to subnets 1 and 2). However, I “can” ping a device on subnet 3 from the pix itself, in which case I do see “debug” activity.

Someone told me that I had to ping “outside” from a device on subnet 3 first before it would start accepting connections, does anyone know if this is true?

If this is true (or not), can this be circumvented by using static net statements along with the NAT 0… or should I just use static net statements without the NAT 0 statement. In both cases I assume I would have to nat the subnet with itself so I don’t disturb current network configuration.

Any insight, glimpse of knowledge, or help in any way would be greatly appreciated.

Thanks,

Kent
 
Sort by date Sort by votes
HI.

> In order to abide by the mandated requirements
> I chose to implement Nat 0 on the inside interface
This seems to me also like the right way to go. It is better then static because static involves proxy arp and is not needed since router A knows the correct route to all subnets.

> ... using a “NAT 0” statement for each subnet ...
Why not simply use nat 0 for all addresses?
nat 0 0 0

> with an access-list permitting all ip (any any)
> on the outside interface
Are you going to protect in both directions?
Is this only for the test?

> Someone told me that I had to ping “outside” from a
> device on subnet 3 first before it would start accepting > connections
I don't think so.

An important tool for troubleshooting is syslog messages - buffer/pdm/syslog server/monitor/ or any combination of them.

In addition to PING, try also some TCP tests, like telnet from router A to B, and to hosts .

I think that you have a routing problem somewhere between router B and net 3, since you are using static routes you should check them all the way.
You can ping net 3 from the pix, but not from router A. So if the pix is not blocking the traffic, maybe net 3 router does not have correct route to one of router A interfaces or networks.
Look for missing default gateways somewhere.
What happens if you try to ping/telnet from net3 to router A or hosts behind it? How far do packets go? Did you try tracert?

Look also for some stupid typo/syntax errors, an extra digit somewhere can make a lot of difference...

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hello Yizhar,
Thanks for responding, your comments are addressed as follows:

>>> In order to abide by the mandated requirements
>>> I chose to implement Nat 0 on the inside interface
>This seems to me also like the right way to go. It is better then static because static >involves >proxy arp and is not needed since router A knows the correct route to all >subnets.

That is good to hear, I just wasn’t sure about it.

>>> ... using a “NAT 0” statement for each subnet ...
>Why not simply use nat 0 for all addresses?
>nat 0 0 0

I was trying to be exact as possible, but I will do this instead – it does seem much simpler.

>>> with an access-list permitting all ip (any any)
>>> on the outside interface
>Are you going to protect in both directions?
>Is this only for the test?

In time we will protect and ACL from connections on the outside, just right now I have it open for testing purposes.

>>> Someone told me that I had to ping “outside” from a
>>> device on subnet 3 first before it would start accepting > connections
>I don't think so.

That is also good to hear, I had all sorts of bad images of a quiet server on the inside causing problems if this was indeed the case.

>An important tool for troubleshooting is syslog messages - buffer/pdm/syslog >server/monitor/ >or any combination of them.

Configuring an inside syslog server right now, hopefully it will help.

>In addition to PING, try also some TCP tests, like telnet from router A to B, and to hosts

I was able to telnet to hosts on subnets 1 and 2, just not 3.

>What happens if you try to ping/telnet from net3 to router A or hosts behind it? How far do >packets go? Did you try tracert?

Unfortunately, I didn’t have access to the machine at the time. The next time I attempt this I will have a test box on that network.

Again, thanks for your help,

Kent
 
Upvote 0 Downvote
Hi, you need to use static and nat 0 together to make it works. i have the same problem before.

if you only use nat 0 netX netX, from inside, to outside/dmz there is no problem for inside to access outside/dmz. but from outside/dmz, it could not access the inside until you ping to each outside/dmz server, from each inside server.... (big pain...)

if you only use static (inside,outside/dmz) netX netX, from outside/dmz you could access to any servers in inside (depend on your acces-list), but the inside servers will got problem accessing outside/dmz.

combine the statement together, solve the problems.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
651
intel233
intel233
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
163
PauS0n
PauS0n
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
134
tklamb
tklamb
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
113
steve777777
steve777777

Part and Inventory Search

Sponsor

Back
Top