Solved

Static NAT on PIX 520 with IOS 4.4(7)

Posted on 2006-07-23
13
329 Views
Last Modified: 2013-11-16
I have an older ios release that I'm messing around with at home because I can't learn on the equipment at work.  
Here's how my network settings are with a direct connection to my ISP, so this would be the outside interface:
ip address range: 172.16.1.8 - 172.16.1.254
netmask: 255.255.255.0
gateway: 172.16.1.1

How can I setup static NAT between the ouside interface, which will reflect the settings above, and the inside hosts on my network on let's say 192.168.1.0??

Thank you.
0
Comment
Question by:sipscott
  • 5
  • 4
13 Comments
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
PIX v4.4 ?!  My, that's ancient!
  What you're describing above actually isn't static NAT, just dynamic NAT...  If you're trying to NAT the 192.168.1.x to the pool of IPs: 172.16.1.8 - .254, & you're manually setting the PIX's gateway & outside IP, see below:

ip address inside 192.168.1.1 255.255.255.0  <- or whatever your inside IP is going to be
ip address outside 172.16.1.7 255.255.255.0  <- or whatever your outside IP is going to be
route outside 0 0 172.16.1.1
nat (inside) 1 0 0
global (outside) 1 172.16.1.8-172.16.1.254

  Here's the PIX 4.4 config guide (especially the command ref):
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_44/pix44cfg/index.htm

cheers
0
 

Author Comment

by:sipscott
Comment Utility
Oh man, that's exactly what I've been trying all night!  I can ping each interface, but data won't flow through the inside interface to any hosts on the outside or vice versa.  Here's how my network is setup, try not to laugh!  I have my computer connected directly to the inside interface of the PIX with a crossover cable.  The outside interface of the PIX is connected to a wireless bridge (Buffalo WLI-TX4-G54HP).  Which connects up to my wireless ISP about 5 miles away.  They are using a microtik router with an IP address of 172.16.1.1 255.255.255.0 it's running DHCP, and has its own static 1 to 1 mapping.  I can ping from the outide interface on my PIX to various hosts on the wireless network: other access points and gateways.  I can also ping from the inside interface to various hosts on my home network.  I cannot ping through either interface, and I'm begining to wonder if I may have screwed something up.  I'll include a copy of my config:

PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.16.1.57 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 172.16.1.59-172.16.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
0
 

Author Comment

by:sipscott
Comment Utility
bump,
this question must be tougher than I thought.  I have experience setting up a similar config on a PIX with v6, but as was mentioned earlier 4.4 is rather old!
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Do you have any potential to bring the PIX OS to a more current level ( at least the 6.x ) level?

4.x is ancient and doesnt even support alot of the functionality of the newer versions.
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
1)  First off, have you checked with your ISP on the IP settings?  I rather doubt they're giving you the entire range of 254 IPs to use (172.16.1.1-172.16.1.254).
2)  I checked the Command Reference for 4.4 (in the URL above), & it doesn't appear to support DHCP for the "ip address" command, unlike PIX 5.2 & above (ie, 'ip address dhcp setroute').  So, looks like you'd have to have a static IP given to you by your ISP if running v4.4 code.
3) Did you poweroff the wireless bridge before connecting your PIX, then reboot the wireless bridge?  
4)  Have you manually cleared the NAT table?  -->  clear xlate

Just to keep things simple, I'd disable failover on this:
  no failover
And verify this with "show failover", what you want to see is:
 Failover Off

  Assuming you clear up any IP addressing problems with your ISP, they may have to clear their ARP cache on their end.  Once you're sure about IP settings, save the config then reboot the PIX.

cheers
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:sipscott
Comment Utility
Getting a static IP was no problem, I've got about 220 unused addresses to pick from.  (I work for the ISP)  I also have failover disabled.  The PIX communicates on the wireless flawlessly, I can ping from the outside to anywhere including www.google.com.  The problem appears to be all in NAT.

Here's the diagnosis:

pixfirewall(config)# ping outside 64.233.179.99
        64.233.179.99 response received -- 70ms
        64.233.179.99 response received -- 60ms
        64.233.179.99 response received -- 70ms
pixfirewall(config)# ping outside 172.16.1.1
        172.16.1.1 response received -- 10ms
        172.16.1.1 response received -- 0ms
        172.16.1.1 response received -- 0ms
pixfirewall(config)# ping inside 192.168.1.3
        192.168.1.3 response received -- 0ms
        192.168.1.3 response received -- 0ms
        192.168.1.3 response received -- 0ms


****From my workstation*****
Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\Scott>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

C:\Documents and Settings\Scott>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
> I've got about 220 unused addresses to pick from.  (I work for the ISP)
  Lucky you!  I could you my own Class C to play with...  ;)

What's the output of "show ver"?
And what's the output of "show xlate" immediately after trying to ping from your workstation?  Do you get any entries for your PC's IP?

Have you also tried doing PAT on the outside interface IP?  eg:
no global (outside) 1 172.16.1.59-172.16.1.254
no nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 172.16.1.57 netmask 255.255.255.0  <- if it works, run similar steps but try 172.16.1.59 instead
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
clear xlate

Are you absolutely sure the subnet mask is correct for the outside interface?

cheers
0
 

Author Comment

by:sipscott
Comment Utility
pixfirewall(config)# sho ver

PIX Version 4.4(7)
Compiled on Mon 02-Oct-00 07:07 by pixbuild
Finesse Bios V3.3

pixfirewall up 13 mins 0 secs

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 449 MHz
Flash atmel @ base 0x300
0: ethernet0: address is 00a0.c957.d76e, irq 11
1: ethernet1: address is 00a0.c9b2.5ec7, irq 9

Licensed Options:
Failover:       Enabled
IPSec:          Enabled
Ports allowed:  6
================================================================
I can't do this with 4.4:


pixfirewall(config)# global (outside) 1 172.16.1.57 netmask 255.255.255.0
Start and end addresses overlap with outside interface address
**** WARNING ***
        Configuration Replication is NOT performed from Standby unit to Active unit.
        Configurations are no longer synchronized.
pixfirewall(config)#

**I went ahead and used 172.16.1.59 for PAT instead, still doesn't work.  I took a look on the microtik config and I'm positive my ISP uses a class C subnet mask for 172.16.1.1.  Question is does this work in 4.4?  I can still ping from the outside and from my isp back to the outside on the pix.  Could it be screwing something up within NAT?



0
 

Author Comment

by:sipscott
Comment Utility
show xlate:
no entries are made after ping from my workstation.
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
Comment Utility
>I can't do this with 4.4:
>pixfirewall(config)# global (outside) 1 172.16.1.57 netmask 255.255.255.0
  Yeah, confirmed that this was first allowed in 5.2(1)  (via "interface" keyword of course, like nowadays).

  Have you also tried being specific about what you're trying to NAT?  eg:
no nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0
clear xlate    <- make *sure* you're running this after adding/modifying 'nat' or 'global' statements!

  And for good measure:
write mem
reload

FYI for 'global' statement:  see Usage Note #5 under the Usage Guidelines:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_44/pix44cfg/pix44cmd.htm#2310
Apparently in 4.4 if using a pool of IPs for the global statement, you must configure reverse DNS for those IPs?!  If that's true, what the hell was Cisco thinking?! LOL
 
cheers
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now