• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

PIX inside to outside subnet problem

I am having a problem setting up the inside-to-outside connection on a PIX-515 with 3 interfaces - inside, outside, and DMZ.  We are using a test network prior to implementation.

I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned.  Our assigned public IP subnet is 192.168.200.64/255.255.255.192 with 62 host IPs.  The ISP router is assigned .66.  I assigned .65 to the PIX outside interface.  I set up a static outside route 0.0.0.0 gateway 192.168.200.66.

Our publicly accessible servers in the DMZ off the firewall use a private IP net (192.168.100.0/24).  I set the 6 current DMZ servers to static NAT to 6 of the the public IPs assigned at the firewall (192.168.200.82 - .87), and I provided access rules to allow desired services (SSH, HTTP, etc.)  This interface appears to be working ok.

I am not allowed to set up the inside interface as a private IP net and NAT (long story), so I set up the network on the PIX Inside interface as subnet 192.168.200.96/ 255.255.255.224 which has an allowable host IP range of 97-126.  I assigned the PIX inside port as .97.

I was under the assumption the PIX would allow traffic to flow from a higher (inside) interface to a lower (Outside) interface as long as there were access rules or translation rules in place.

When I look at the translation rules, there is already a default to use the same original address for inside to outside interface.  This seemed ok since the inside subnet is a further division of the assigned public Class C subnet.

However, from an inside workstation, I cannot access any system on the outside interface (same test systems I can access from the DMZ using NAT), even when I establish a specific access rule for the service I desire (e.g., SSH).  Help.
0
taccomp
Asked:
taccomp
  • 2
1 Solution
 
stressedout2004Commented:
>>>There is already a default to use the same original address for inside to outside interface

what exactly is this default NAT you are referring to in commands?


0
 
lrmooreCommented:
With the masks that you propose, your subnets overlap.
You would have to change the outside interface to the same mask with 30 hosts:
 ip address outside 192.168.200.65 255.255.255.224
 ip address inside 192.168.200.97 255.255.255.224
 route outside 0.0.0.0 0.0.0.0 192.168.200.66

Now you still need NAT inside to outside, so add this (same same inside,outside):
 static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224


What version PIX OS do you have? Ver 6.3 or 7.0?
Version 7.0 has a feature to bypass nat without that static command, but I believe it is global and would break you current static nat's for the servers in the DMZ.

Version 6.x requires the static
0
 
taccompAuthor Commented:
Since I submitted this question, I went back and changed the outside interface to "192.168.200.65/255.255.255.224" (searching for a solution), but it did not work either.  [I replaced actual Class C address with 192.168.200 in this reply]

Show config from CLI:
     "...snip...
     access-list inside_access_in permit ip any any
     ...snip...
     ip address outside 192.168.200.65 255.255.255.224
     ip address inside 192.168.200.97 255.255.255.224
     ip address dmz 192.168.100.50 255.255.255.0
     ...snip...
     nat (inside) 0 0.0.0.0 0.0.0.0 0 0
     [all following statics following this pertain to dmz,outside nat]
     ...snip...
     route outside 0.0.0.0 0.0.0.0 192.168.200.66 1
     ...snip..."

From PDM, the window shows:
    Interface inside
    IP address:  0.0.0.0   Mask:  0.0.0.0
   Translate address to:
    X  Dynamic    Address pool:  "same address"
                Pool ID
                N/A       No address pool defined

Thanks for the quick response.  I'm getting short on my implementation date and really appreciate any help.


0
 
lrmooreCommented:
>    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
The nat zero command was not exactly designed to do what you want to do. Suggest the static command:

no nat (inside) 0 0.0.0.0 0.0.0.0 0 0
clear xlate
static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224

0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now