Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SNAT PIX 501

Posted on 2009-04-11
4
673 Views
Last Modified: 2012-05-06
I'm having an issue where I can sit on the PIX and ping everything on the internal network. I can ping everything I've allowed on the external network as well. However, I can't get traffic across the NAT to ping. Here's the config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname another-fw1
access-list outside_access_in permit ip host NAMED-SOMETHING any
access-list outside_access_in permit icmp object-group icmp-sources any
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 9.9.9.9 255.255.255.224
ip address inside 172.16.41.100 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 9.9.9.10 172.16.42.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.9.9.8 1
route inside 0.0.0.0 0.0.0.0 172.16.41.200

Lame Layout Example
ROUTER -> PIX -> SWITCH -> DEVICES


Without route to internal router
outside 0.0.0.0 0.0.0.0 12.52.0.33 1 OTHER static (What I added)
outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static (Shows by default since it's the interface)
inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static (Shows by default since it's the interface)

When I ping I get:
No route to 172.16.42.1 from "Where I'm at" on the PIX debug log...


When I add the 172.16.x.x route
outside 0.0.0.0 0.0.0.0 9.9.9.8 1 OTHER static
outside 9.9.9.7 255.255.255.224 9.9.9.9 1 CONNECT static
inside 172.16.0.0 255.255.0.0 172.16.41.200 1 OTHER static
inside 172.16.41.0 255.255.255.0 172.16.41.100 1 CONNECT static

When I ping now... I don't get the "No Route" but I don't get replies either.


Reminder, I can ping everything on the internal and external network from the PIX. However, Outisde in and Inside out doesn't work even though it's allowed...

If I changed the NAT'd devices gateway to the PIX, then it works fine. BTW: The gateway isn't mine and I'm sure there isn't any type of route pointing back to me. I'm typically coming in from an external IP and I guess that my traffic is getting pushed out another direction once it hits their network.

So, would Source NAT work? Never used it.. So, I have no idea.
0
Comment
Question by:mikefunk
  • 3
4 Comments
 
LVL 7

Expert Comment

by:mitrushi
ID: 24128396
remove the defaut route from inside, you need only one default route pointing to the next hop through outside interface. If you have subnets not directly connected on the inside add static routes to these subnets on the inside interface. enable nat control so all traffic going through the router will be natted so the third party router will see only traffic coming from the pix outside interface.
0
 

Author Comment

by:mikefunk
ID: 24164557
Sorry, that's not the right answer...   I pointed out that removing the default internal route causes all ping/other requests to generate the "No route to.." error.
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24166125
I didn't say  only remove the default route to inside I suggested to replace it with more specific static routes to subnets which are not directly connected to inside. Also I suggested that because you can't add missing routes to the third party router, bringing back traffic to your subnets, may be you could try and nat all traffic leaving the inside interface. May be I am wrong, it is just a suggestion.
0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
ID: 24168163
I tried this and it works if you want to translate outside traffic to inside interface ip address. this example is from my lab, I am sure you can adapt it to your topology.

access-list outside_inside_icmp extended permit icmp 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_inside_nat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0

global (inside) 10 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list outside_inside_nat outside
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco switch 3750E port channel down 13 29
Windows Server to Cisco switch connectivity 10 71
VLAN Question 13 44
Factory Reset of Juniper SSG20 2 17
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question