PIX inside to outside subnet problem

I am having a problem setting up the inside-to-outside connection on a PIX-515 with 3 interfaces - inside, outside, and DMZ.  We are using a test network prior to implementation.

I am using 192.168.200 to describe the problem rather than the actual Class C IP assigned.  Our assigned public IP subnet is 192.168.200.64/255.255.255.192 with 62 host IPs.  The ISP router is assigned .66.  I assigned .65 to the PIX outside interface.  I set up a static outside route 0.0.0.0 gateway 192.168.200.66.

Our publicly accessible servers in the DMZ off the firewall use a private IP net (192.168.100.0/24).  I set the 6 current DMZ servers to static NAT to 6 of the the public IPs assigned at the firewall (192.168.200.82 - .87), and I provided access rules to allow desired services (SSH, HTTP, etc.)  This interface appears to be working ok.

I am not allowed to set up the inside interface as a private IP net and NAT (long story), so I set up the network on the PIX Inside interface as subnet 192.168.200.96/ 255.255.255.224 which has an allowable host IP range of 97-126.  I assigned the PIX inside port as .97.

I was under the assumption the PIX would allow traffic to flow from a higher (inside) interface to a lower (Outside) interface as long as there were access rules or translation rules in place.

When I look at the translation rules, there is already a default to use the same original address for inside to outside interface.  This seemed ok since the inside subnet is a further division of the assigned public Class C subnet.

However, from an inside workstation, I cannot access any system on the outside interface (same test systems I can access from the DMZ using NAT), even when I establish a specific access rule for the service I desire (e.g., SSH).  Help.
taccompAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
>>>There is already a default to use the same original address for inside to outside interface

what exactly is this default NAT you are referring to in commands?


0
lrmooreCommented:
With the masks that you propose, your subnets overlap.
You would have to change the outside interface to the same mask with 30 hosts:
 ip address outside 192.168.200.65 255.255.255.224
 ip address inside 192.168.200.97 255.255.255.224
 route outside 0.0.0.0 0.0.0.0 192.168.200.66

Now you still need NAT inside to outside, so add this (same same inside,outside):
 static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224


What version PIX OS do you have? Ver 6.3 or 7.0?
Version 7.0 has a feature to bypass nat without that static command, but I believe it is global and would break you current static nat's for the servers in the DMZ.

Version 6.x requires the static
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
taccompAuthor Commented:
Since I submitted this question, I went back and changed the outside interface to "192.168.200.65/255.255.255.224" (searching for a solution), but it did not work either.  [I replaced actual Class C address with 192.168.200 in this reply]

Show config from CLI:
     "...snip...
     access-list inside_access_in permit ip any any
     ...snip...
     ip address outside 192.168.200.65 255.255.255.224
     ip address inside 192.168.200.97 255.255.255.224
     ip address dmz 192.168.100.50 255.255.255.0
     ...snip...
     nat (inside) 0 0.0.0.0 0.0.0.0 0 0
     [all following statics following this pertain to dmz,outside nat]
     ...snip...
     route outside 0.0.0.0 0.0.0.0 192.168.200.66 1
     ...snip..."

From PDM, the window shows:
    Interface inside
    IP address:  0.0.0.0   Mask:  0.0.0.0
   Translate address to:
    X  Dynamic    Address pool:  "same address"
                Pool ID
                N/A       No address pool defined

Thanks for the quick response.  I'm getting short on my implementation date and really appreciate any help.


0
lrmooreCommented:
>    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
The nat zero command was not exactly designed to do what you want to do. Suggest the static command:

no nat (inside) 0 0.0.0.0 0.0.0.0 0 0
clear xlate
static (inside,outside) 192.168.200.96 192.168.200.96 netmask 255.255.255.224

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.