minicuc
asked on
NAT is the problem ?
I have the following configuration:
ADSL-----RouterVPN (172.25.6.1)------SWITCH--
|
|
PcB (172.25.6.3)
All subnet masks are 24 bits.
RouterVPN has proper configuration.
I need PcA to be able to go outside and to be reachable from outside, hence i decided a static NAT by entering:
static (inside,outside) 172.25.6.205 192.168.1.100 netmask 255.255.255.255
Also I set the following default gateways:
For PcA: 192.168.1.254
For PcB: 172.25.6.1
For PIX: 172.25.6.1
After setting all the IP I performed some connectivity tests and got what follows:
From PcB:
ping 172.25.6.1 : OK
ping 172.25.6.254 : OK
ping 172.25.6.205 : NO RESPONSE
From PcA:
ping 192.168.1.254 : OK
ping 172.25.6.1 : NO RESPONSE
From PIX:
ping outside 172.25.6.1 : OK
ping outside 172.25.6.3 : ? I need to verify
ping inside 192.168.1.100 : OK
My questions are:
1)Is it enough to use only the "static (...,..)..." command or should I use it after entering:
nat (inside) 1 192.168.1.100 netmask 255.255.255.255
global (outside) 1 172.25.6.205 netmask 255.255.255.255
2)Why can't I reach from PcA the router 172.25.6.1 ?
Thx in advance
ADSL-----RouterVPN (172.25.6.1)------SWITCH--
|
|
PcB (172.25.6.3)
All subnet masks are 24 bits.
RouterVPN has proper configuration.
I need PcA to be able to go outside and to be reachable from outside, hence i decided a static NAT by entering:
static (inside,outside) 172.25.6.205 192.168.1.100 netmask 255.255.255.255
Also I set the following default gateways:
For PcA: 192.168.1.254
For PcB: 172.25.6.1
For PIX: 172.25.6.1
After setting all the IP I performed some connectivity tests and got what follows:
From PcB:
ping 172.25.6.1 : OK
ping 172.25.6.254 : OK
ping 172.25.6.205 : NO RESPONSE
From PcA:
ping 192.168.1.254 : OK
ping 172.25.6.1 : NO RESPONSE
From PIX:
ping outside 172.25.6.1 : OK
ping outside 172.25.6.3 : ? I need to verify
ping inside 192.168.1.100 : OK
My questions are:
1)Is it enough to use only the "static (...,..)..." command or should I use it after entering:
nat (inside) 1 192.168.1.100 netmask 255.255.255.255
global (outside) 1 172.25.6.205 netmask 255.255.255.255
2)Why can't I reach from PcA the router 172.25.6.1 ?
Thx in advance
JFrederick29
Are you allowing ICMP traffic on the PIX outside interface? If ICMP is not permitted, you won't be able to ping anything beyond the PIX from PcA or ping through the PIX from the outside interface.
can you ping the internet form your pix ?
if you can the its not routing the segment 192.168.1.xx
if you can the its not routing the segment 192.168.1.xx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your router can't connect to PC-A because the router doesn't know that 192.168.1.xx is handled by PIX501. It assumes that the only addresses on its internal network are in the 172.25.6.0/??? subnet (whatever the netmask is), and that everything else must be on the external side. If your RouterVPN supports it, you will need to add a route/gateway to 192.168.1.0/255.255.255.0 via 172.25.6.254. Since 192.168.x.x addresses are technically considered "non-routable," this might present a problem. Also, if your RouterVPN doesn't support static routes, you are in trouble.
Since RouterVPN does not know how to get to PC-A, it can not return the pings, even if your firewall rules are correct. If you were to put a network sniffer (like Ethereal on a hub, not a switch) right in front of 172.25.6.1, then you should see the packets from PC-A, each one followed by "Destination Unreachable" packets from the router.
If that doesn't work, then one troubleshooting step is to try everything using routable addresses on PC-A and the PIX, and then change them to non-routable addresses once things are working, in case your router/PIX refuses to route the non-routable addresses.
- Will
Since RouterVPN does not know how to get to PC-A, it can not return the pings, even if your firewall rules are correct. If you were to put a network sniffer (like Ethereal on a hub, not a switch) right in front of 172.25.6.1, then you should see the packets from PC-A, each one followed by "Destination Unreachable" packets from the router.
If that doesn't work, then one troubleshooting step is to try everything using routable addresses on PC-A and the PIX, and then change them to non-routable addresses once things are working, in case your router/PIX refuses to route the non-routable addresses.
- Will
RouterVPN or PC-B doesn't need routers for the 192.168.x.x it's being natted... to anyone infront of the nat he needs to try to connect to 172.25.6.205.
-= Felix =-
-= Felix =-
ASKER
Thx all, i'll check and get back to you shortly
Good point, Felix2000. Somehow I must have been thinking that the NAT was on the other end. In that case, disregard most of my previous post.
ASKER
Felix solution works fine.Thx.
Only couple of doubts:
1) It seems the ICMP access-list lines are not needed, PcA is able to ping RouterVPN even without them. Is it correct ?
2) Are these ICMP access-list lines equivalent to the following ICMp commands ?
icmp permit any echo-reply outside
icmp permit any echo outside
etc.
Thx
Roberto
Only couple of doubts:
1) It seems the ICMP access-list lines are not needed, PcA is able to ping RouterVPN even without them. Is it correct ?
2) Are these ICMP access-list lines equivalent to the following ICMp commands ?
icmp permit any echo-reply outside
icmp permit any echo outside
etc.
Thx
Roberto
I believe the ICMP lines are for the PIX itself not things being or being NAT'ed by it.
PC A is allowed out since he is inside. The access lists should also help people coming from the outside to ping / traceroute to the router/nat ip's.
Traceroute's time-exceeded might not normally be allowed back through the pix by default.
Glad it helped
-= Felix =-
PC A is allowed out since he is inside. The access lists should also help people coming from the outside to ping / traceroute to the router/nat ip's.
Traceroute's time-exceeded might not normally be allowed back through the pix by default.
Glad it helped
-= Felix =-