PIX TRANSLATION FROM VARIOUS ZONES
Morning
My Issue I am trying to nat from a seperate security zone than my inside network to the outside on it own public address, the pix is giving dhcp to this zone i can ping a test client from the pix and from the client to the pix. i tried to ping an outside public server no luck so i assume it is a tranlation issue. I did a clear xlate after my configs and write memory no luck it is the wifi_guest zone. Thanks ahead of time
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 failan security60
nameif ethernet4 wifi_guest security8
nameif ethernet5 intf5 security10
enable password 7YFeKSr2XsDr7/GR encrypted
passwd TebofXwoTgzdeqUA encrypted
hostname pixfire
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 9100
fixup protocol h323 h225 1720
fixup protfixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.31.1 mailserver
access-list acl_out permit tcp any host X.X.X.173 eq smtp
access-list acl_out permit udp any host X.X.X.173 eq isakmp
access-list acl_out permit udp any host X.X.X.173 eq 1701
access-list acl_out permit udp any host X.X.X.173 eq 4500
access-list acl_out permit tcp any host X.X.X.173 eq pcanywhere-data
access-list acl_out permit udp any host X.X.X.173 eq pcanywhere-status
access-list acl_out permit gre any host X.X.X.173
access-list acl_out permit ip any host X.X.X.173
access-list acl_out permit esp any host X.X.X.173
access-list acl_out permit 115 any host X.X.X.173
access-list acl_out permit tcp any host X.X.X.168 eq https
access-list acl_out permit tcp any host X.X.X.169 eq https
access-list dmz permit ip 10.250.100.0 255.255.255.0 any
access-list wifi_guest permit ip 172.16.50.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu failan 1500
mtu wifi_guest 1500
mtu intf5 1500
ip address outside X.X.X.162 255.255.255.224
ip address inside 172.16.31.2 255.255.255.0
ip address dmz 10.250.100.1 255.255.255.0
ip address failan 10.20.100.1 255.255.255.0
ip address wifi_guest 172.16.50.1 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.28.127.1-172.28.127.25
failover
failover timeout 0:00:00
failover poll 12
failover ip address outside X.X.X.163
failover ip address inside 172.16.31.3
failover ip address dmz 10.250.100.2
failover ip address failan 10.20.100.2
failover ip address wifi_guest 172.16.50.2
no failover ip address intf5
failover link failan
failover lan unit primary
failover lan interface failan
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X..164
global (outside) 2 X.X.X..171
nat (inside) 1 172.16.31.0 255.255.255.252 0 0
nat (inside) 1 10.168.4.0 255.255.255.0 0 0
nat (inside) 1 10.200.200.0 255.255.255.0 0 0
nat (inside) 1 172.16.31.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 10.168.0.0 255.255.252.0 0 0
nat (wifi_guest) 2 172.16.50.0 255.255.255.0 0 0
static (inside,outside) X.X.X..173 mailserver netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.168 10.250.100.6 netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.169 10.250.100.7 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
access-group wifi_guest in interface wifi_guest
route outside 0.0.0.0 0.0.0.0 X.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 172.16.31.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup dhvpn3000 idle-time 1800
telnet mailserver 255.255.255.255 inside
telnet mailserver 255.255.255.255 dmz
telnet mailserver 255.255.255.255 failan
telnet mailserver 255.255.255.255 wifi_guest
telnet mailserver 255.255.255.255 intf5
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 15
dhcpd address 172.16.50.20-172.16.50.254
dhcpd dns X.X.144.202 X.X.175.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable wifi_guest
username administrator password 4A.FR0Mq7o20JzOc encrypted privilege 2
username supervisor password mamxeVTXXKLVutro encrypted privilege 2
terminal width 80
banner exec !Warning Restricted Access....Authorized Users Only!
Cryptochecksum:f309c5c7f1d
: end
My Issue I am trying to nat from a seperate security zone than my inside network to the outside on it own public address, the pix is giving dhcp to this zone i can ping a test client from the pix and from the client to the pix. i tried to ping an outside public server no luck so i assume it is a tranlation issue. I did a clear xlate after my configs and write memory no luck it is the wifi_guest zone. Thanks ahead of time
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 failan security60
nameif ethernet4 wifi_guest security8
nameif ethernet5 intf5 security10
enable password 7YFeKSr2XsDr7/GR encrypted
passwd TebofXwoTgzdeqUA encrypted
hostname pixfire
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 9100
fixup protocol h323 h225 1720
fixup protfixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.31.1 mailserver
access-list acl_out permit tcp any host X.X.X.173 eq smtp
access-list acl_out permit udp any host X.X.X.173 eq isakmp
access-list acl_out permit udp any host X.X.X.173 eq 1701
access-list acl_out permit udp any host X.X.X.173 eq 4500
access-list acl_out permit tcp any host X.X.X.173 eq pcanywhere-data
access-list acl_out permit udp any host X.X.X.173 eq pcanywhere-status
access-list acl_out permit gre any host X.X.X.173
access-list acl_out permit ip any host X.X.X.173
access-list acl_out permit esp any host X.X.X.173
access-list acl_out permit 115 any host X.X.X.173
access-list acl_out permit tcp any host X.X.X.168 eq https
access-list acl_out permit tcp any host X.X.X.169 eq https
access-list dmz permit ip 10.250.100.0 255.255.255.0 any
access-list wifi_guest permit ip 172.16.50.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu failan 1500
mtu wifi_guest 1500
mtu intf5 1500
ip address outside X.X.X.162 255.255.255.224
ip address inside 172.16.31.2 255.255.255.0
ip address dmz 10.250.100.1 255.255.255.0
ip address failan 10.20.100.1 255.255.255.0
ip address wifi_guest 172.16.50.1 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.28.127.1-172.28.127.25
failover
failover timeout 0:00:00
failover poll 12
failover ip address outside X.X.X.163
failover ip address inside 172.16.31.3
failover ip address dmz 10.250.100.2
failover ip address failan 10.20.100.2
failover ip address wifi_guest 172.16.50.2
no failover ip address intf5
failover link failan
failover lan unit primary
failover lan interface failan
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X..164
global (outside) 2 X.X.X..171
nat (inside) 1 172.16.31.0 255.255.255.252 0 0
nat (inside) 1 10.168.4.0 255.255.255.0 0 0
nat (inside) 1 10.200.200.0 255.255.255.0 0 0
nat (inside) 1 172.16.31.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 10.168.0.0 255.255.252.0 0 0
nat (wifi_guest) 2 172.16.50.0 255.255.255.0 0 0
static (inside,outside) X.X.X..173 mailserver netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.168 10.250.100.6 netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.169 10.250.100.7 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
access-group wifi_guest in interface wifi_guest
route outside 0.0.0.0 0.0.0.0 X.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 172.16.31.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup dhvpn3000 idle-time 1800
telnet mailserver 255.255.255.255 inside
telnet mailserver 255.255.255.255 dmz
telnet mailserver 255.255.255.255 failan
telnet mailserver 255.255.255.255 wifi_guest
telnet mailserver 255.255.255.255 intf5
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 15
dhcpd address 172.16.50.20-172.16.50.254
dhcpd dns X.X.144.202 X.X.175.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable wifi_guest
username administrator password 4A.FR0Mq7o20JzOc encrypted privilege 2
username supervisor password mamxeVTXXKLVutro encrypted privilege 2
terminal width 80
banner exec !Warning Restricted Access....Authorized Users Only!
Cryptochecksum:f309c5c7f1d
: end
ASKER
but i have no issues with my inside network
and inside is the name of the interface
nameif ethernet1 inside security100
those are all networks on my inside need to clean it up but not an issue atm
my issue is with translationg from wifi_guest to the internet
nameif ethernet4 wifi_guest security8
which is why i have
nat (wifi_guest) 2 172.16.50.0 255.255.255.0 0 0
global (outside) 2 X.X.X.171
the reason i have 2 is to identify that public and private relations only
and the acl on the interface of wifi_guest
access-list wifi_guest permit ip 172.16.50.0 255.255.255.0 any
we have a pool of public addresses so i have one i want for our guest wifi access to the internet
and inside is the name of the interface
nameif ethernet1 inside security100
those are all networks on my inside need to clean it up but not an issue atm
my issue is with translationg from wifi_guest to the internet
nameif ethernet4 wifi_guest security8
which is why i have
nat (wifi_guest) 2 172.16.50.0 255.255.255.0 0 0
global (outside) 2 X.X.X.171
the reason i have 2 is to identify that public and private relations only
and the acl on the interface of wifi_guest
access-list wifi_guest permit ip 172.16.50.0 255.255.255.0 any
we have a pool of public addresses so i have one i want for our guest wifi access to the internet
hi there
you say you cannot ping outside addresses from the wifi interface? you don't have icmp traffic allowed in from outside so you won't be able to do this. Can you open a browser from a machine on the wifi subnet and go to whatismyip.com - and see if you are getting your x.x.x.171 translation correctly?
When you make a new change to the translation table - e.g. statics or nat/global you should clear the xlate table also:
clear xlate
hth
you say you cannot ping outside addresses from the wifi interface? you don't have icmp traffic allowed in from outside so you won't be able to do this. Can you open a browser from a machine on the wifi subnet and go to whatismyip.com - and see if you are getting your x.x.x.171 translation correctly?
When you make a new change to the translation table - e.g. statics or nat/global you should clear the xlate table also:
clear xlate
hth
ASKER
hhmmm no couldn't open a web page from b4 and i have an acl applied on incoming to the wifi-guest zone and to my knowledge with icmp it is a by hop where by each times it tries it increasing it's hop count. i would assume since the security zone of the the outside zone lower than that of the wifi_guest zone the wifi_guest would b able to go out with just nat enabled but in the sense of the outside back in you would need a acl with which i have as a standard acl atm to allow any ip protocol to the address range on wifi_sourced network. thoughts?
<<the wifi_guest would b able to go out with just nat enabled
Correct -
but you don't need an acl on the wifi interface to allow traffic out.
Can you remove this line temporarily:
access-group wifi_guest in interface wifi_guest
And then try an outbound connection.
When you have done this - type
sh xlate
and look for your local ip (of the wifi subnet machine) - see if you have a corresponding global translated ip in it
hth
Correct -
but you don't need an acl on the wifi interface to allow traffic out.
Can you remove this line temporarily:
access-group wifi_guest in interface wifi_guest
And then try an outbound connection.
When you have done this - type
sh xlate
and look for your local ip (of the wifi subnet machine) - see if you have a corresponding global translated ip in it
hth
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hi charan
yes - i see all the different ip ranges but these are not the issue - none of the ranges here will work except the 172.16.31.0/24 as none of them have inside source routes. Hes aware these are not working as he says himself:
<<those are all networks on my inside need to clean it up but not an issue atm
He already *does* have a nat statement for the wifi_guest interface - as per the first post
nat (wifi_guest) 2 172.16.50.0 255.255.255.0
yes - i see all the different ip ranges but these are not the issue - none of the ranges here will work except the 172.16.31.0/24 as none of them have inside source routes. Hes aware these are not working as he says himself:
<<those are all networks on my inside need to clean it up but not an issue atm
He already *does* have a nat statement for the wifi_guest interface - as per the first post
nat (wifi_guest) 2 172.16.50.0 255.255.255.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yeah i understand the acls of the pix are really only for inbound traffic due to it's setup and relationship to the security zones. just to try something i will create a static entry for that network and see if i am able to browse the internet from that static entry created. then work my way backwards i know i applied a acl for traffic into the wifi_guest security zone not from due to some experience with some citrix gateways we installed. I am taking over this network from a previous network admin and it seems alot of cleaning up is needed do to the fact the pix goes to an isa so the isa is proxy translates again any how when it reaches the pix so only that 172.16.31.0 is valid but anyway that is off topic. i will be returning to the office in the morning and try the sh xlate and post the result. Thanks again guys
ASKER
Hey guys thanks for the input it will share the points between you for being so responisve. I tried another availlble public address and it started working so all i changed was the public address i had in the global config
global (outside) 2 X.X.X..171 -> global (outside) 2 X.X.X..172
did a clear xlate and then a write memory
i believe the reason was that public address might have been tied to another device and since i am porting with addresses not actually on the interface but in the address pool the interface was tied too it might have known that it was. X.X.X.161-174 Now i have to work on why the dhcp on the pix takes so long to give out addresses and only obain an address after i do a repair on the client interface. Thanks Again
global (outside) 2 X.X.X..171 -> global (outside) 2 X.X.X..172
did a clear xlate and then a write memory
i believe the reason was that public address might have been tied to another device and since i am porting with addresses not actually on the interface but in the address pool the interface was tied too it might have known that it was. X.X.X.161-174 Now i have to work on why the dhcp on the pix takes so long to give out addresses and only obain an address after i do a repair on the client interface. Thanks Again
welcome bro - glad you got going :-)
nat (inside) 1 172.16.31.0 255.255.255.252 0 0
nat (inside) 1 10.168.4.0 255.255.255.0 0 0
nat (inside) 1 10.200.200.0 255.255.255.0 0 0
nat (inside) 1 172.16.31.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 10.168.0.0 255.255.252.0 0 0
instead of inside mention the right interface from where the traffic is originating