On my PIX v6.3 I have a trunk setup to 2 VLANs nameif vlan210 custsm security34 nameif vlan350 monnet security35 ip address custsm 192.168.200.250 255.255.255.0 ip address monnet 192.168.89.250 255.255.255.0 From a client PC on vlan350 I want to be able connect to a system on vlan210 and vice versa. I have set up NAT as follows:
access-list NATMON permit ip 192.168.89.0 255.255.255.0 192.168.200.0
255.255.255.0 nat (INTTNET) 0 access-list 103 global (custsm) 1 192.168.200.111On the debug I can see my PING requests from 192.168.89.249 to
192.168.200.250 and it looks like it is using NAT address 192.168.200.111, but I am not getting a reply. I think there may be something wrong with NATting or Access-lists but can't identify what it is...47: ICMP echo request (len 32 id 4 seq 6400) 192.168.89.249 >
192.168.89.25048: ICMP echo reply (len 32 id 4 seq 6400) 192.168.89.250 >
192.168.89.24949: ICMP echo request (len 32 id 4 seq 6656) 192.168.89.249 >
192.168.89.25050: ICMP echo reply (len 32 id 4 seq 6656) 192.168.89.250 >
192.168.89.24951: ICMP echo request (len 32 id 4 seq 6912) 192.168.89.249 >
192.168.89.25052: ICMP echo reply (len 32 id 4 seq 6912) 192.168.89.250 >
192.168.89.24953: ICMP echo request (len 32 id 4 seq 7168) 192.168.89.249 >
192.168.89.25054: ICMP echo reply (len 32 id 4 seq 7168) 192.168.89.250 >
192.168.89.24955: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=7424 length=40
56: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/157: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=7680 length=40
58: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/159: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=7936 length=40
60: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/161: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=8192 length=40
62: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/1mypix-FW(config)# show xlate
20 in use, 1520 most usedPAT Global 99.199.19.43(17891) Local 10.0.0.177(43586)
PAT Global 99.199.19.43(17890) Local 10.0.0.177(59226)
PAT Global 99.199.19.43(17889) Local 10.0.0.153(2207)
PAT Global 99.199.19.43(17892) Local 10.0.0.153(2219)
mypix-FW(config)#
mypix-FW(config)# 63: ICMP echo-request from monnet:192.168.89.249 to
192.168.200.250 ID=1024 seq=8448 length=4064: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/2
65: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=8704 length=4066: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/2
67: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250 ID=1024 seq=8960 length=4068: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/2
show xlate
21 in use, 1520 most usedPAT Global 99.199.19.43(16780) Local 10.0.0.154(4137)
PAT Global 99.199.19.43(16820) Local 10.0.0.154(4179)
PAT Global 192.168.200.111(2) Local 192.168.89.249 ICMP id 1024
PAT Global 99.199.19.43(5755) Local 10.0.0.109(2638)
PAT Global 99.199.19.43(16255) Local 10.0.0.153(1306)
PAT Global 99.199.19.43(14957) Local 10.0.0.145(49167)
mypix-FW(config)# 69: ICMP echo-request from monnet:192.168.89.249 to
192.168.200.250 ID=1024 seq=9216 length=4070: ICMP echo-request: translating monnet:192.168.89.249/1024 to custsm:192.168.200.111/2
71: ICMP echo request (len 5 id 3 seq 1280) 10.0.0.153 > 10.0.0.25472: ICMP echo reply (len 5 id 3 seq 1280) 10.0.0.254 > 10.0.0.153
73: ICMP echo request (len 32 id 9233 seq 0) 10.0.0.254 > 10.0.0.15674: ICMP echo request (len 32 id 9233 seq 1) 10.0.0.254 > 10.0.0.156
75: ICMP echo reply (len 32 id 9233 seq 1) 10.0.0.156 > 10.0.0.254show run
: Saved
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet4 vlan22 physical
interface ethernet4 vlan210 logical
interface ethernet4 vlan350 logical
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 mypixipt security10
nameif ethernet3 mypixilo security20
nameif ethernet4 mypixtrunk security30
nameif ethernet5 INTTNET security10
nameif vlan210 custsm security34
nameif vlan350 monnet security35
enable password LQj7EQ48chDRXWw8 encrypted
passwd uJtjMb8oDnBAg3Sn encrypted
hostname mypix-FW
domain-name mypix.ie
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.30.1.199 T21
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0
255.255.255.0access-list 101 permit ip 10.0.0.0 255.255.255.0 172.30.0.0
255.255.0.0access-list 101 permit ip 172.30.0.0 255.255.0.0 10.0.0.0
255.255.255.0access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.0.0
255.255.255.0access-list 101 permit ip 172.30.0.0 255.255.0.0 172.30.0.0
255.255.0.0access-list 101 permit ip 10.1.1.0 255.255.255.0 172.30.0.0
255.255.0.0access-list 101 permit ip 10.0.0.0 255.255.255.0 10.10.8.0
255.255.255.0access-list 101 permit ip 172.30.0.0 255.255.0.0 10.10.8.0
255.255.255.0access-list 101 permit ip any host 172.30.1.191
access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.4.0
255.255.255.0access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.100.0
255.255.255.0access-list 101 permit ip 192.168.89.0 255.255.255.0 10.10.10.0
255.255.255.0access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.89.0
255.255.255.0access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 192.168.200.0 255.255.255.0 172.30.0.0
255.255.254.0access-list 101 permit ip 192.168.89.0 255.255.255.0 192.168.89.0
255.255.255.0access-list OUTSIDE permit ip any any
access-list OUTSIDE permit icmp any any
access-list OUTSIDE permit icmp any any echo-reply
access-list 103 permit ip 192.168.20.0 255.255.255.0 192.168.20.0
255.255.255.0access-list NATMON permit ip 192.168.89.0 255.255.255.0 192.168.200.0
255.255.255.0pager lines 24
mtu outside 1500
mtu inside 1500
mtu mypixipt 1500
mtu mypixilo 1500
mtu mypixtrunk 1500
mtu INTTNET 1500
ip address outside 99.199.19.43 255.255.255.192
ip address inside 10.0.0.254 255.255.255.0
ip address mypixipt 172.30.1.198 255.255.254.0
ip address mypixilo 192.168.4.254 255.255.255.0
no ip address mypixtrunk
ip address INTTNET 192.168.20.254 255.255.255.0
ip address custsm 192.168.200.250 255.255.255.0
ip address monnet 192.168.89.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypixVPN2 10.10.8.1-10.10.8.10
ip local pool mypixVPN3 172.30.1.145-172.30.1.149
ip local pool mypixVPN1 192.168.4.90-192.168.4.95
ip local pool mypixVPN4 192.168.100.90-192.168.100.95
ip local pool mypixVPN5 192.168.20.145-192.168.20.149
no failover
global (outside) 1 interface
global (custsm) 1 192.168.200.111
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (mypixipt) 0 access-list 101
nat (mypixilo) 0 access-list 101
nat (mypixtrunk) 0 access-list 101
nat (INTTNET) 0 access-list 103
nat (monnet) 1 access-list NATMON 0 0
access-group OUTSIDE in interface outside
access-group OUTSIDE in interface mypixipt
access-group OUTSIDE in interface mypixilo
access-group OUTSIDE in interface mypixtrunk
access-group 103 in interface INTTNET
access-group OUTSIDE in interface custsm
access-group OUTSIDE in interface monnet
route outside 0.0.0.0 0.0.0.0 99.199.19.1 1
route mypixipt 172.30.200.0 255.255.255.0 172.30.1.254 1
route custsm 192.168.1.0 255.255.255.0 192.168.200.254 1
timeout xlate 3:00:00
: end