• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

PIX configuration Problem

Two interface PIX. Inside interface is Corp, outside interface is Lab. I want the lab to be able to access the internet via the inside interface. When I configure statics, the lab is able to reach all private network addresses, 172,10,192 (Corp network). When I try to go to a public network (WWW), i get the error message "no translation groups available for 207.x.x.x"? What am I doing wrong, and can this be done?

I am not using NAT.

Thanks,
Steve
0
smotts72
Asked:
smotts72
  • 5
  • 4
1 Solution
 
lrmooreCommented:
Sure can. Can you post your config?
0
 
smotts72Author Commented:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

domain-name xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list acl_outside permit tcp 172.17.219.xxx 255.255.255.xxx any eq www
access-list acl_outside permit icmp any any
access-list acl_outside permit udp any any
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 172.17.219.xxx 255.255.255.xxx
ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address BASIC+ 172.17.219.xxx 255.255.255.xxx
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 172.17.219.xxx 172.17.219.xxx netmask 255.255.255.xxx 0 0
static (inside,outside) 172.xxx.xxx.xxx 172.xxx.xxx.xxx netmask 255.xxx.xxx.xxx 0 0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route inside 0.0.0.0 0.0.0.0 172.17.xxx.xxx 1
route inside 172.17.0.0 255.255.0.0 172.17.xxx.xxx 1
route inside 172.19.0.0 255.255.0.0 172.17.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
no sysopt route dnat

0
 
lrmooreCommented:
>ip address outside 172.17.219.xxx 255.255.255.xxx
>ip address inside 172.17.xxx.xxx 255.255.xxx.xxx

your outside cannot be a subnet of the inside. They need to be two distinct networks. If the inside subnet mask is 255.255.255.0, then you're OK. If that is the case, then the router that is your default gateway @ 172.17.xxx.xx needs to have a route back to the subnet of 172.17.219.0


0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
smotts72Author Commented:
They are on seperate networks. inside 172.17.223.0/25, outside 172.17.219.192/26. The only fix I have been able to find is to staticly assign the 192 network to whatever network I am trying to reach on www. My question is isn't there a static command that allows all networks?
For instance to get to yahoo it works like this:
static (inside,outside) 220.0.0.0 220.0.0.0 netmask 255.0.0.0. I want to use one static command for all public IP's. Or is the only way to do this, is by staticly defining all public ip subnets?
Routing is fine as I have statics on the gateway router back to the PIX.

Thanks for all the help so far.
0
 
lrmooreCommented:
Where is outbound NAT happening? At the gateway router?
You basically just want to use the firewall as a router?

Your nat 0 should be all you need. I've got a PIX that is sort of "backwards" like yours with the "inside" router providing NAT and Internet access. I just can't get to it from here right now. As soon as I can, I'll post the relevant config.

You might try using an acl with NAT 0 :
ie.
access-list NO_NAT permit ip any 172.17.216.192 255.255.255.192
nat (inside) 0 access-list NO_NAT

What happens if you remove the acl from the inside interface:
no access-group acl_inside in interface inside
and remove the two static lines.
0
 
smotts72Author Commented:
Outbound NAT is occuring at a NOKIA firewall. I have also tried the acl on the nat. I currently am allowing pretty much anything, but will give the ip any command a try.

If I remove the acls and the two static commands. I get the error message "no translation groups available" on both the 172.0.0.0 network and aslo on the public network.

If you could post your code I would greatly appreciate it. Also I noticed you refered to it as "backwards", along with other Engineers I have spoke with. Why would you ever want a untrusted network on a higher security level then your trusted network? From all docs I could find, Cisco says you always want the untrusted side on the lower security.
0
 
lrmooreCommented:
You are correct in your reasoning for higher/lower security realms, but we refer to it as backwards, because the Internet is generally the least secure, so in your case you are going from a lower security interface -through- a higher security realm to get to the Internet.

My pix has this in the ACL for my host. I permit host-by-host not by subnet, but the concept is the same:
access-list NO_NAT permit ip any host Thunderbird
nat (inside) 0 access-list NO_NAT
# above Host Thunderbird is in NETWORKADMIN subnet:
access-list outside_in permit ip NETWORKADMIN 255.255.255.240 any

access-group outside_in in interface outside
# I have no acl applied to the inside interface
# I have NO static nat statements for this subnet or host
have you tried:
no static(inside,outside)
no static(outside,inside)
static(inside,outside)172.17.216.192 172.17.216.192 netmask 255.255.255.192

Question. Do these point to different gateways than the default?
>route inside 172.17.0.0 255.255.0.0 172.17.xxx.xxx 1
>route inside 172.19.0.0 255.255.0.0 172.17.xxx.xxx 1


0
 
velimirmkdCommented:
Hi,

If you are not using NAT on the PIX, which is OK, then first you have to modify the NAT statements on your Nokia, so they include your Lab network.  Then you have to set a static route on the Nokia FW that will identify how to reach the Lab network, and that should be through the IP address of the PIX inrerface that is connected to the Corp network.  You need only one static route on the PIX (if that is the only exit point for your lab network) that will be the default route 0.0.0.0 0.0.0.0 pointing through your the inside interface (the Corp network IP).  Nothing else has to be done, as long as your corp network uses gateway address of the nokia fw.  In this case when you have packets from corp to lab they will get to the nokia fw, and the nokia will reroute them to the PIX.  The PIX knows where the lab network is and there you go.  First accomplish what I explained and then try to tighten the security.  Don't use any ACL until you get this working.

I hope this helps
Velimir
0
 
smotts72Author Commented:
Thanks so much for your response. It was the NAT 0 ACL that fixed the whole problem. Hope I can help people out somtime.
0
 
lrmooreCommented:
Glad you're working! Cheers!
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now