I am having a problem getting two companies in the same building to talk to each other consistently. Each company is protected by it's own PIX, but share a common DMZ and T1 line to the outside world.
A 3rd perimeter firewall runs pfSense, a FreeBSD based version of pf. This firewall performs all of the real NATing of the /27 block of public IP addresses into private IP addresses for the two companies. I chose not to NAT the two company networks so that the syslog files would show exactly what was going on.
The DMZ has a single device in it at the moment. It is a Cisco 1841 router used to establish a VPN. Much more is to come over the next two years. Company A is all Windows. Company B is Netware and Linux.
All access to the internet works well, including a VPN we initiate between Company B and a Vendor.
The problem is reliably connecting Company A and B to each other. This is primarily between Company B's Novell server and anyone trying to connect to it. There are no problems running programs, accessing files and even mssql database connections from B --> A. But A --> B is sporadic. Sometimes I can access Novell, other times not.
The syslog shows that we are commonly getting: Error 3-305005: No translation group found for ...
... and then it lists udp, tcp and icmp src and dst addresses and ports.
The packet that I suspect is CURRENTLY stopping access is a udp src port 1025 to Novell server udp port 427, an attempt to find the servers. It isn't happening. As a result, Company A cannot see that an NDS tree exists.
I can still ping Company B WinXP boxes and their linux box from the Company A side, but not the Novell box. ???
Identity NAT vs NAT Exemption
--------------------------
----------
----------
----------
----------
----
While the error appears specific, I think the actual configs are the real culprits, or more accurately, my ignorance is. Not NATing on a PIX appears to have more opinions and options than proven methods.
It was my understanding that if you NAT 0 a network the way that I have, that you do not need to setup a global or static command. At this point, all of the reading that I've done has simply confused me.
I've read Aaron Brady's page (
http://insom.me.uk/05/08/pix) regarding PIX without NAT. I understand now that I set up "Identity NAT" whereas he describes "NAT Exemption". Which should I setup, and why is this current config unreliable? Is there a better methodolgy to accomplish the desired results.
The Desired Result:
1) Company A should have unhindered access to Company B and the internet.
2) Company B should have unhindered access to Company A, the VPN and the
internet. (I intend to setup access lists to lock down the two sides
after the Netware server has been replaced.)
3) NOTHING should be able to initiate access to the DMZ, Company A or B at
this time.
NOTE: Also saw this very helpful page:
http://book.itzero.com/read/cisco/0510/Cisco.Press.Cisco.ASA.All-in-One.Firewall.IPS.and.VPN.Adaptive.Security.Appliance.Oct.2005.eBook-DDU_html/1587052091/ch05lev1sec6.html*** Networks ***
Public: 1.2.3.4.0/27
DMZ: 192.168.5.0/24
Company A: 192.168.10.0/24
Company B: 192.168.111.0/24
*** Interfaces ***
pfSense perimeter firewall - outside address: 1.2.3.4
dmz (inside) address: 192.168.5.1
Company A PIX 515 - dmz (outside) address: 192.168.5.10
inside address: 192.168.10.1
Company B PIX 501 - dmz (outside) address: 192.168.5.20
inside address: 192.168.111.1
1841 for VPN - 192.168.5.22 is NATed to 1.2.3.22 by pfSense.
12.23.34.45 and 12.23.34.46 require VPN access.
This is a cleaned up version of CompanyA's PIX 515 config.
==========================
==========
==========
==========
==========
====
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CompAPIX
domain-name CompanyA.com
access-list lan_out permit ip 192.168.10.0 255.255.255.0 any
access-list dmz-in permit ip 192.168.111.0 255.255.255.0 any
access-list dmz-in permit udp host 192.168.5.1 any eq syslog
access-list dmz-in permit udp host 192.168.10.1 any eq syslog
logging on
logging trap notifications
logging facility 17
logging device-id hostname
logging host inside 192.168.10.126
icmp permit any outside
icmp permit any inside
ip address outside 192.168.5.10 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 192.168.10.0 255.255.255.0 0 0
access-group dmz-in in interface outside
access-group lan_out in interface inside
route outside 192.168.111.0 255.255.255.0 192.168.5.20 1
This is a cleaned up version of CompanyB's PIX 501 config.
==========================
==========
==========
==========
==========
====
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CompBPIX
domain-name CompanyB.com
access-list lan_out permit ip 192.168.111.0 255.255.255.0 any
access-list dmz-in permit ip 192.168.10.0 255.255.255.0 any
logging on
logging trap notifications
logging facility 18
logging device-id hostname
logging host outside 192.168.10.126
icmp permit any outside
icmp permit any inside
ip address outside 192.168.5.20 255.255.255.0
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 192.168.111.0 255.255.255.0 0 0
access-group dmz-in in interface outside
access-group lan_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
route outside 12.23.34.45 255.255.255.255 192.168.5.22 1
route outside 12.23.34.46 255.255.255.255 192.168.5.22 1
route outside 192.168.10.0 255.255.255.0 192.168.5.10 1
