Posted on 2007-07-23
Medium Priority
Last Modified: 2010-04-09
My Issue I am trying to nat from a seperate security zone than my inside network to the outside on it own public address, the pix is giving dhcp to this zone i can ping a test client from the pix and from the client to the pix. i tried to ping an outside public server no luck so i assume it is a tranlation issue. I did a clear xlate after my configs and write memory no luck it is the wifi_guest zone. Thanks ahead of time

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 failan security60
nameif ethernet4 wifi_guest security8
nameif ethernet5 intf5 security10
enable password 7YFeKSr2XsDr7/GR encrypted
passwd TebofXwoTgzdeqUA encrypted
hostname pixfire
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 9100
fixup protocol h323 h225 1720
fixup protfixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name mailserver
access-list acl_out permit tcp any host X.X.X.173 eq smtp
access-list acl_out permit udp any host X.X.X.173 eq isakmp
access-list acl_out permit udp any host X.X.X.173 eq 1701
access-list acl_out permit udp any host X.X.X.173 eq 4500
access-list acl_out permit tcp any host X.X.X.173 eq pcanywhere-data
access-list acl_out permit udp any host X.X.X.173 eq pcanywhere-status
access-list acl_out permit gre any host X.X.X.173
access-list acl_out permit ip any host X.X.X.173
access-list acl_out permit esp any host X.X.X.173
access-list acl_out permit 115 any host X.X.X.173
access-list acl_out permit tcp any host X.X.X.168 eq https
access-list acl_out permit tcp any host X.X.X.169 eq https
access-list dmz permit ip any
access-list wifi_guest permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu failan 1500
mtu wifi_guest 1500
mtu intf5 1500
ip address outside X.X.X.162
ip address inside
ip address dmz
ip address failan
ip address wifi_guest
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
failover timeout 0:00:00
failover poll 12
failover ip address outside X.X.X.163
failover ip address inside
failover ip address dmz
failover ip address failan
failover ip address wifi_guest
no failover ip address intf5
failover link failan
failover lan unit primary
failover lan interface failan
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X..164
global (outside) 2 X.X.X..171
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (wifi_guest) 2 0 0
static (inside,outside) X.X.X..173 mailserver netmask 0 0
static (dmz,outside) X.X.X.168 netmask 0 0
static (dmz,outside) X.X.X.169 netmask 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
access-group wifi_guest in interface wifi_guest
route outside X.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup dhvpn3000 idle-time 1800
telnet mailserver inside
telnet mailserver dmz
telnet mailserver failan
telnet mailserver wifi_guest
telnet mailserver intf5
telnet timeout 15
ssh outside
ssh timeout 60
console timeout 15
dhcpd address wifi_guest
dhcpd dns X.X.144.202 X.X.175.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable wifi_guest
username administrator password 4A.FR0Mq7o20JzOc encrypted privilege 2
username supervisor password mamxeVTXXKLVutro encrypted privilege 2
terminal width 80
banner exec !Warning Restricted Access....Authorized Users Only!
: end
Question by:adrianjfx
  • 5
  • 4
  • 2

Expert Comment

ID: 19547864
the problem is here
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (inside) 1 0 0

instead of inside mention the right interface from where the traffic is originating

Author Comment

ID: 19549484
but i have no issues with my inside network
and inside is the name of the interface
nameif ethernet1 inside security100

those are all networks on my inside need to clean it up but not an issue atm

my issue is with translationg from wifi_guest to the internet
nameif ethernet4 wifi_guest security8

which is why i have
nat (wifi_guest) 2 0 0
global (outside) 2 X.X.X.171

the reason i have 2 is to identify that public and private relations only
and the acl on the interface of wifi_guest
access-list wifi_guest permit ip any

we have a pool of public addresses so i have one i want for our guest wifi access to the internet

LVL 19

Expert Comment

ID: 19552010
hi there

you say you cannot ping outside addresses from the wifi interface?  you don't have icmp traffic allowed in from outside so you won't be able to do this.  Can you open a browser from a machine on the wifi subnet and go to whatismyip.com - and see if you are getting your x.x.x.171 translation correctly?

When you make a new change to the translation table - e.g. statics or nat/global you should clear the xlate table also:

clear xlate

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.


Author Comment

ID: 19552239
hhmmm no couldn't open a web page from b4 and i have an acl applied on incoming to the wifi-guest  zone and to my knowledge with icmp it is a by hop where by each times it tries it increasing it's hop count. i would assume since the security zone of the the outside zone lower than that of the wifi_guest zone the wifi_guest would b able to go out with just nat enabled but in the sense of the outside back in you would need a acl with which i have as a standard acl atm to allow any ip protocol to the address range on wifi_sourced network. thoughts?
LVL 19

Expert Comment

ID: 19552542
<<the wifi_guest would b able to go out with just nat enabled
Correct -
but you don't need an acl on the wifi interface to allow traffic out.
Can you remove this line temporarily:
access-group wifi_guest in interface wifi_guest

And then try an outbound connection.
When you have done this - type
sh xlate
and look for your local ip (of the wifi subnet machine) - see if you have a corresponding global translated ip in it


Assisted Solution

charan_jeetsingh earned 600 total points
ID: 19554131

he has mentioned different ip ranges at diferent interfaces but in "nat" command he is putting that all traffic is being generated from inside iterface.

adrian : above is the reason why you are able to browse from inside interface and not from wifi interface

based on your ip schema :
ip address inside
ip address dmz
ip address failan
ip address wifi_guest

the following statements should look something like :
nat (inside) 1 0 0 >> you can remove it
nat (inside) 1 0 0 >> nat (dmz) 1 0 0
nat (inside) 1 0 0 >> not sure which interface this ip belongs to
nat (inside) 1 0 0 >> correct
nat (inside) 1 0 0  >> not sure which interface this ip belongs to
nat (inside) 1 0 0  >> not sure which interface this ip belongs to

there is no nat statement for wifi interface at all hence you require to add

nat(wifi_guest) 1 0 0
LVL 19

Expert Comment

ID: 19554234
hi charan
yes - i see all the different ip ranges but these are not the issue - none of the ranges here will work except the as none of them have inside source routes.  Hes aware these are not working as he says himself:
<<those are all networks on my inside need to clean it up but not an issue atm

He already *does* have a nat statement for the wifi_guest interface  - as per the first post

nat (wifi_guest) 2
LVL 19

Accepted Solution

nodisco earned 900 total points
ID: 19554241
the reason for the nat ID of 2 is that he is specifically translating it to the global ID 2 of x.x.x.171 so he can differenciate between wifi users and inside users .

Author Comment

ID: 19554472
yeah i understand the acls of the pix are really only for inbound traffic due to it's setup and relationship to the security zones. just to try something i will create a static entry for that network and see if i am able to browse the internet from that static  entry created. then work my way backwards i know i applied a acl for traffic into the wifi_guest security zone not from due to some experience with some citrix gateways we installed. I am taking over this network from a previous network admin and it seems alot of cleaning up is needed do to the fact the pix goes to an isa so the isa is proxy translates again any how when it reaches the pix so only that is valid but anyway that is off topic. i will be returning to the office in the morning  and try the sh xlate and post the result. Thanks again guys

Author Comment

ID: 19555470
Hey guys thanks for the input it will share the points between you for being so responisve. I tried another availlble public address and it started working so all i changed was the public address i had in the global config
global (outside) 2 X.X.X..171 -> global (outside) 2 X.X.X..172
did a clear xlate and then a write memory
i believe the reason was that public address might have been tied to another device and since i am porting with addresses not actually on the interface but in the address pool the interface was tied too it might have known that it was. X.X.X.161-174 Now i have to work on why the dhcp on the pix takes so long to give out addresses and only obain an address after i do a repair on the client interface. Thanks Again
LVL 19

Expert Comment

ID: 19561535
welcome bro - glad you got going :-)

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question