1. Home
  2. Cisco Systems
  3. Can a PIX router tell if I'm NATed?

Can a PIX router tell if I'm NATed?

Company B has a telnet service running inside their network at

10.110.0.202:23. They setup a rule in their boundary PIX that allows my local address 172.16.2.114 to access this service. Their routing from the PIX & beyond is a black box. It currently works correctly.

I want to access this telnet service from more than 1 workstation on my LAN (Company B doesn't care if I do this, but currently their config only allows

172.16.2.114). So, rather that go through their tiresome IT hierarchy to get this changed, I simply removed host 172.16.2.114 from my LAN and configured my router to inside source NAT packets destined for 10.110.0.202:23 as 172.16.2.114. But unfortunately this does not work (I receive no response from their telnet service).

After some troubleshooting (from my end only, they are reluctant to assist), the only thing I can figure is that their PIX router must realize that I am implementing NAT, and dropping the packet(s) accordingly. "It works" if I assign 172.16.2.114 to a workstation (connection successful), but it does "not work" if workstation 192.168.1.23 gets source NATed to 172.16.2.114 (my router never receives any response packets from 10.110.0.202 at all). I guess the PIX firewalls when I NAT.

Without knowing their PIX config, is it [probably] correct and/or possible that it realizes I am NATed and is therefor dropping the packets, or should it not be able to tell the difference (meaning I am doing something wrong)?

Reply to
1388-2/HB
Loading thread data ...

Assuming this is a VPN connection, did you remove/modify the no-nat statement? No-nats are processed before nat's. This should work just fine.

Reply to
Brian V

That's a fair assumption (the vpn) but in this case we actually share the phyisical layer in the building here (both our networks are physically plugged into the same switches) and their PIX is directly connected to our network and vice versa, so no vpn here.

But it's a moot point, because I just moved the 'ip nat inside source' rules from the 2610 I'd been testing with to a 1720 router, (just to see if there was an IOS difference) and sure enough it *works* via the 1720. I can nat my LAN people to 172.16.2.114 and lo and behold make a connection successfully.

Not sure how much sense this makes (but it's late here, so I'm not going to complain) but having the 2610 running IOS 12.0(4)T perform the nat somehow causes their PIX to drop the packets (presumeably, no response from the destination host at least). No clue why. With the 1720, IOS 12.4(4)T1, performing the *same* NAT operation, it works fine. I can only assume the IOS in that 2610 or the hardware itself is doing something funky to the packets that their PIX doesn't like.

Reply to
1388-2/HB

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.