Posted on 2007-07-23
Last Modified: 2010-04-09
My Issue I am trying to nat from a seperate security zone than my inside network to the outside on it own public address, the pix is giving dhcp to this zone i can ping a test client from the pix and from the client to the pix. i tried to ping an outside public server no luck so i assume it is a tranlation issue. I did a clear xlate after my configs and write memory no luck it is the wifi_guest zone. Thanks ahead of time

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 failan security60
nameif ethernet4 wifi_guest security8
nameif ethernet5 intf5 security10
enable password 7YFeKSr2XsDr7/GR encrypted
passwd TebofXwoTgzdeqUA encrypted
hostname pixfire
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 9100
fixup protocol h323 h225 1720
fixup protfixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name mailserver
access-list acl_out permit tcp any host X.X.X.173 eq smtp
access-list acl_out permit udp any host X.X.X.173 eq isakmp
access-list acl_out permit udp any host X.X.X.173 eq 1701
access-list acl_out permit udp any host X.X.X.173 eq 4500
access-list acl_out permit tcp any host X.X.X.173 eq pcanywhere-data
access-list acl_out permit udp any host X.X.X.173 eq pcanywhere-status
access-list acl_out permit gre any host X.X.X.173
access-list acl_out permit ip any host X.X.X.173
access-list acl_out permit esp any host X.X.X.173
access-list acl_out permit 115 any host X.X.X.173
access-list acl_out permit tcp any host X.X.X.168 eq https
access-list acl_out permit tcp any host X.X.X.169 eq https
access-list dmz permit ip any
access-list wifi_guest permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu failan 1500
mtu wifi_guest 1500
mtu intf5 1500
ip address outside X.X.X.162
ip address inside
ip address dmz
ip address failan
ip address wifi_guest
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
failover timeout 0:00:00
failover poll 12
failover ip address outside X.X.X.163
failover ip address inside
failover ip address dmz
failover ip address failan
failover ip address wifi_guest
no failover ip address intf5
failover link failan
failover lan unit primary
failover lan interface failan
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X..164
global (outside) 2 X.X.X..171
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (wifi_guest) 2 0 0
static (inside,outside) X.X.X..173 mailserver netmask 0 0
static (dmz,outside) X.X.X.168 netmask 0 0
static (dmz,outside) X.X.X.169 netmask 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
access-group wifi_guest in interface wifi_guest
route outside X.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup dhvpn3000 idle-time 1800
telnet mailserver inside
telnet mailserver dmz
telnet mailserver failan
telnet mailserver wifi_guest
telnet mailserver intf5
telnet timeout 15
ssh outside
ssh timeout 60
console timeout 15
dhcpd address wifi_guest
dhcpd dns X.X.144.202 X.X.175.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable wifi_guest
username administrator password 4A.FR0Mq7o20JzOc encrypted privilege 2
username supervisor password mamxeVTXXKLVutro encrypted privilege 2
terminal width 80
banner exec !Warning Restricted Access....Authorized Users Only!
: end
Question by:adrianjfx
    LVL 8

    Expert Comment

    the problem is here
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0

    instead of inside mention the right interface from where the traffic is originating

    Author Comment

    but i have no issues with my inside network
    and inside is the name of the interface
    nameif ethernet1 inside security100

    those are all networks on my inside need to clean it up but not an issue atm

    my issue is with translationg from wifi_guest to the internet
    nameif ethernet4 wifi_guest security8

    which is why i have
    nat (wifi_guest) 2 0 0
    global (outside) 2 X.X.X.171

    the reason i have 2 is to identify that public and private relations only
    and the acl on the interface of wifi_guest
    access-list wifi_guest permit ip any

    we have a pool of public addresses so i have one i want for our guest wifi access to the internet

    LVL 19

    Expert Comment

    hi there

    you say you cannot ping outside addresses from the wifi interface?  you don't have icmp traffic allowed in from outside so you won't be able to do this.  Can you open a browser from a machine on the wifi subnet and go to - and see if you are getting your x.x.x.171 translation correctly?

    When you make a new change to the translation table - e.g. statics or nat/global you should clear the xlate table also:

    clear xlate


    Author Comment

    hhmmm no couldn't open a web page from b4 and i have an acl applied on incoming to the wifi-guest  zone and to my knowledge with icmp it is a by hop where by each times it tries it increasing it's hop count. i would assume since the security zone of the the outside zone lower than that of the wifi_guest zone the wifi_guest would b able to go out with just nat enabled but in the sense of the outside back in you would need a acl with which i have as a standard acl atm to allow any ip protocol to the address range on wifi_sourced network. thoughts?
    LVL 19

    Expert Comment

    <<the wifi_guest would b able to go out with just nat enabled
    Correct -
    but you don't need an acl on the wifi interface to allow traffic out.
    Can you remove this line temporarily:
    access-group wifi_guest in interface wifi_guest

    And then try an outbound connection.
    When you have done this - type
    sh xlate
    and look for your local ip (of the wifi subnet machine) - see if you have a corresponding global translated ip in it

    LVL 8

    Assisted Solution


    he has mentioned different ip ranges at diferent interfaces but in "nat" command he is putting that all traffic is being generated from inside iterface.

    adrian : above is the reason why you are able to browse from inside interface and not from wifi interface

    based on your ip schema :
    ip address inside
    ip address dmz
    ip address failan
    ip address wifi_guest

    the following statements should look something like :
    nat (inside) 1 0 0 >> you can remove it
    nat (inside) 1 0 0 >> nat (dmz) 1 0 0
    nat (inside) 1 0 0 >> not sure which interface this ip belongs to
    nat (inside) 1 0 0 >> correct
    nat (inside) 1 0 0  >> not sure which interface this ip belongs to
    nat (inside) 1 0 0  >> not sure which interface this ip belongs to

    there is no nat statement for wifi interface at all hence you require to add

    nat(wifi_guest) 1 0 0
    LVL 19

    Expert Comment

    hi charan
    yes - i see all the different ip ranges but these are not the issue - none of the ranges here will work except the as none of them have inside source routes.  Hes aware these are not working as he says himself:
    <<those are all networks on my inside need to clean it up but not an issue atm

    He already *does* have a nat statement for the wifi_guest interface  - as per the first post

    nat (wifi_guest) 2
    LVL 19

    Accepted Solution

    the reason for the nat ID of 2 is that he is specifically translating it to the global ID 2 of x.x.x.171 so he can differenciate between wifi users and inside users .

    Author Comment

    yeah i understand the acls of the pix are really only for inbound traffic due to it's setup and relationship to the security zones. just to try something i will create a static entry for that network and see if i am able to browse the internet from that static  entry created. then work my way backwards i know i applied a acl for traffic into the wifi_guest security zone not from due to some experience with some citrix gateways we installed. I am taking over this network from a previous network admin and it seems alot of cleaning up is needed do to the fact the pix goes to an isa so the isa is proxy translates again any how when it reaches the pix so only that is valid but anyway that is off topic. i will be returning to the office in the morning  and try the sh xlate and post the result. Thanks again guys

    Author Comment

    Hey guys thanks for the input it will share the points between you for being so responisve. I tried another availlble public address and it started working so all i changed was the public address i had in the global config
    global (outside) 2 X.X.X..171 -> global (outside) 2 X.X.X..172
    did a clear xlate and then a write memory
    i believe the reason was that public address might have been tied to another device and since i am porting with addresses not actually on the interface but in the address pool the interface was tied too it might have known that it was. X.X.X.161-174 Now i have to work on why the dhcp on the pix takes so long to give out addresses and only obain an address after i do a repair on the client interface. Thanks Again
    LVL 19

    Expert Comment

    welcome bro - glad you got going :-)

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now