smotts72
asked on
PIX configuration Problem
Two interface PIX. Inside interface is Corp, outside interface is Lab. I want the lab to be able to access the internet via the inside interface. When I configure statics, the lab is able to reach all private network addresses, 172,10,192 (Corp network). When I try to go to a public network (WWW), i get the error message "no translation groups available for 207.x.x.x"? What am I doing wrong, and can this be done?
I am not using NAT.
Thanks,
Steve
I am not using NAT.
Thanks,
Steve
Les Moore
Sure can. Can you post your config?
ASKER
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list acl_outside permit tcp 172.17.219.xxx 255.255.255.xxx any eq www
access-list acl_outside permit icmp any any
access-list acl_outside permit udp any any
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 172.17.219.xxx 255.255.255.xxx
ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address BASIC+ 172.17.219.xxx 255.255.255.xxx
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 172.17.219.xxx 172.17.219.xxx netmask 255.255.255.xxx 0 0
static (inside,outside) 172.xxx.xxx.xxx 172.xxx.xxx.xxx netmask 255.xxx.xxx.xxx 0 0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route inside 0.0.0.0 0.0.0.0 172.17.xxx.xxx 1
route inside 172.17.0.0 255.255.0.0 172.17.xxx.xxx 1
route inside 172.19.0.0 255.255.0.0 172.17.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
no sysopt route dnat
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list acl_outside permit tcp 172.17.219.xxx 255.255.255.xxx any eq www
access-list acl_outside permit icmp any any
access-list acl_outside permit udp any any
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 172.17.219.xxx 255.255.255.xxx
ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address BASIC+ 172.17.219.xxx 255.255.255.xxx
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 172.17.219.xxx 172.17.219.xxx netmask 255.255.255.xxx 0 0
static (inside,outside) 172.xxx.xxx.xxx 172.xxx.xxx.xxx netmask 255.xxx.xxx.xxx 0 0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route inside 0.0.0.0 0.0.0.0 172.17.xxx.xxx 1
route inside 172.17.0.0 255.255.0.0 172.17.xxx.xxx 1
route inside 172.19.0.0 255.255.0.0 172.17.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
no sysopt route dnat
>ip address outside 172.17.219.xxx 255.255.255.xxx
>ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
your outside cannot be a subnet of the inside. They need to be two distinct networks. If the inside subnet mask is 255.255.255.0, then you're OK. If that is the case, then the router that is your default gateway @ 172.17.xxx.xx needs to have a route back to the subnet of 172.17.219.0
>ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
your outside cannot be a subnet of the inside. They need to be two distinct networks. If the inside subnet mask is 255.255.255.0, then you're OK. If that is the case, then the router that is your default gateway @ 172.17.xxx.xx needs to have a route back to the subnet of 172.17.219.0
ASKER
They are on seperate networks. inside 172.17.223.0/25, outside 172.17.219.192/26. The only fix I have been able to find is to staticly assign the 192 network to whatever network I am trying to reach on www. My question is isn't there a static command that allows all networks?
For instance to get to yahoo it works like this:
static (inside,outside) 220.0.0.0 220.0.0.0 netmask 255.0.0.0. I want to use one static command for all public IP's. Or is the only way to do this, is by staticly defining all public ip subnets?
Routing is fine as I have statics on the gateway router back to the PIX.
Thanks for all the help so far.
For instance to get to yahoo it works like this:
static (inside,outside) 220.0.0.0 220.0.0.0 netmask 255.0.0.0. I want to use one static command for all public IP's. Or is the only way to do this, is by staticly defining all public ip subnets?
Routing is fine as I have statics on the gateway router back to the PIX.
Thanks for all the help so far.
Where is outbound NAT happening? At the gateway router?
You basically just want to use the firewall as a router?
Your nat 0 should be all you need. I've got a PIX that is sort of "backwards" like yours with the "inside" router providing NAT and Internet access. I just can't get to it from here right now. As soon as I can, I'll post the relevant config.
You might try using an acl with NAT 0 :
ie.
access-list NO_NAT permit ip any 172.17.216.192 255.255.255.192
nat (inside) 0 access-list NO_NAT
What happens if you remove the acl from the inside interface:
no access-group acl_inside in interface inside
and remove the two static lines.
You basically just want to use the firewall as a router?
Your nat 0 should be all you need. I've got a PIX that is sort of "backwards" like yours with the "inside" router providing NAT and Internet access. I just can't get to it from here right now. As soon as I can, I'll post the relevant config.
You might try using an acl with NAT 0 :
ie.
access-list NO_NAT permit ip any 172.17.216.192 255.255.255.192
nat (inside) 0 access-list NO_NAT
What happens if you remove the acl from the inside interface:
no access-group acl_inside in interface inside
and remove the two static lines.
ASKER
Outbound NAT is occuring at a NOKIA firewall. I have also tried the acl on the nat. I currently am allowing pretty much anything, but will give the ip any command a try.
If I remove the acls and the two static commands. I get the error message "no translation groups available" on both the 172.0.0.0 network and aslo on the public network.
If you could post your code I would greatly appreciate it. Also I noticed you refered to it as "backwards", along with other Engineers I have spoke with. Why would you ever want a untrusted network on a higher security level then your trusted network? From all docs I could find, Cisco says you always want the untrusted side on the lower security.
If I remove the acls and the two static commands. I get the error message "no translation groups available" on both the 172.0.0.0 network and aslo on the public network.
If you could post your code I would greatly appreciate it. Also I noticed you refered to it as "backwards", along with other Engineers I have spoke with. Why would you ever want a untrusted network on a higher security level then your trusted network? From all docs I could find, Cisco says you always want the untrusted side on the lower security.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
If you are not using NAT on the PIX, which is OK, then first you have to modify the NAT statements on your Nokia, so they include your Lab network. Then you have to set a static route on the Nokia FW that will identify how to reach the Lab network, and that should be through the IP address of the PIX inrerface that is connected to the Corp network. You need only one static route on the PIX (if that is the only exit point for your lab network) that will be the default route 0.0.0.0 0.0.0.0 pointing through your the inside interface (the Corp network IP). Nothing else has to be done, as long as your corp network uses gateway address of the nokia fw. In this case when you have packets from corp to lab they will get to the nokia fw, and the nokia will reroute them to the PIX. The PIX knows where the lab network is and there you go. First accomplish what I explained and then try to tighten the security. Don't use any ACL until you get this working.
I hope this helps
Velimir
If you are not using NAT on the PIX, which is OK, then first you have to modify the NAT statements on your Nokia, so they include your Lab network. Then you have to set a static route on the Nokia FW that will identify how to reach the Lab network, and that should be through the IP address of the PIX inrerface that is connected to the Corp network. You need only one static route on the PIX (if that is the only exit point for your lab network) that will be the default route 0.0.0.0 0.0.0.0 pointing through your the inside interface (the Corp network IP). Nothing else has to be done, as long as your corp network uses gateway address of the nokia fw. In this case when you have packets from corp to lab they will get to the nokia fw, and the nokia will reroute them to the PIX. The PIX knows where the lab network is and there you go. First accomplish what I explained and then try to tighten the security. Don't use any ACL until you get this working.
I hope this helps
Velimir
ASKER
Thanks so much for your response. It was the NAT 0 ACL that fixed the whole problem. Hope I can help people out somtime.
Glad you're working! Cheers!