Solved

SNAT PIX 501

Posted on 2009-04-11
4
667 Views
Last Modified: 2012-05-06
I'm having an issue where I can sit on the PIX and ping everything on the internal network. I can ping everything I've allowed on the external network as well. However, I can't get traffic across the NAT to ping. Here's the config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname another-fw1
access-list outside_access_in permit ip host NAMED-SOMETHING any
access-list outside_access_in permit icmp object-group icmp-sources any
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 9.9.9.9 255.255.255.224
ip address inside 172.16.41.100 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 9.9.9.10 172.16.42.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.9.9.8 1
route inside 0.0.0.0 0.0.0.0 172.16.41.200

Lame Layout Example
ROUTER -> PIX -> SWITCH -> DEVICES


Without route to internal router
outside 0.0.0.0 0.0.0.0 12.52.0.33 1 OTHER static (What I added)
outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static (Shows by default since it's the interface)
inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static (Shows by default since it's the interface)

When I ping I get:
No route to 172.16.42.1 from "Where I'm at" on the PIX debug log...


When I add the 172.16.x.x route
outside 0.0.0.0 0.0.0.0 9.9.9.8 1 OTHER static
outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static
inside 172.16.0.0 255.255.0.0 172.16.41.200 1 OTHER static
inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static

When I ping now... I don't get the "No Route" but I don't get replies either.


Reminder, I can ping everything on the internal and external network from the PIX. However, Outisde in and Inside out doesn't work even though it's allowed...

If I changed the NAT'd devices gateway to the PIX, then it works fine. BTW: The gateway isn't mine and I'm sure there isn't any type of route pointing back to me. I'm typically coming in from an external IP and I guess that my traffic is getting pushed out another direction once it hits their network.

So, would Source NAT work? Never used it.. So, I have no idea.
0
Comment
Question by:mikefunk
  • 3
4 Comments
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
remove the defaut route from inside, you need only one default route pointing to the next hop through outside interface. If you have subnets not directly connected on the inside add static routes to these subnets on the inside interface. enable nat control so all traffic going through the router will be natted so the third party router will see only traffic coming from the pix outside interface.
0
 

Author Comment

by:mikefunk
Comment Utility
Sorry, that's not the right answer...   I pointed out that removing the default internal route causes all ping/other requests to generate the "No route to.." error.
0
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
I didn't say  only remove the default route to inside I suggested to replace it with more specific static routes to subnets which are not directly connected to inside. Also I suggested that because you can't add missing routes to the third party router, bringing back traffic to your subnets, may be you could try and nat all traffic leaving the inside interface. May be I am wrong, it is just a suggestion.
0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
Comment Utility
I tried this and it works if you want to translate outside traffic to inside interface ip address. this example is from my lab, I am sure you can adapt it to your topology.

access-list outside_inside_icmp extended permit icmp 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_inside_nat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0

global (inside) 10 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list outside_inside_nat outside
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now