Cannot ping, http, telnet nada to inside static nat'd addresses

First time setup of PIX flavor. Have corp and two remotes using VPN. Everything is working great except from my inside network 172.17.2.X I cannot access any of my inside static nat'd address like I used to with the IOS 'ip nat inside source static' cmd.

when trying to ping i see this:

Apr 18 2005 16:09:05 172.17.2.1 : %PIX-6-609001: Built local-host inside:172.17.2.210

Apr 18 2005 16:09:05 172.17.2.1 : %PIX-6-305011: Built dynamic ICMP translation from inside:172.17.2.210/512 to outside:XX.XX.145.188/31

The PAT Translation and thats it.....

Her is my config, any help appreciated.

Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password scribblyscrabbly encrypted passwd scribblyscrabbly encrypted hostname CORP domain-name rcc.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.17.3.0 RE_Inside name 172.17.4.0 RMW_Inside name XX.XXX.206.192 RMW_Outside name XXX.XXX.23.184 RE_Outside name XX.XX.145.181 mercury name 172.17.2.245 silicon name 172.17.2.241 cobalt name XX.XX.145.182 cobalt_outside object-group network Remote_Inside_Addrs network-object RE_Inside 255.255.255.0 network-object RMW_Inside 255.255.255.0 access-list 100 permit tcp any any eq domain log access-list 100 permit udp any any eq domain log access-list 100 permit gre host XXX.XXX217.34 host XX.XX.145.178 log access-list 100 permit gre host XX.XX.206.226 host XX.XX.145.178 log access-list 100 permit tcp any host cobalt_outside eq pptp log access-list 100 permit tcp any host mercury eq www log access-list 100 permit tcp any host XX.XX.145.185 eq www log access-list 100 permit tcp any host XX.XX.145.183 eq www log access-list 100 permit tcp any host XX.XX.145.184 eq www log access-list 100 permit tcp any host mercury eq 800 log access-list 100 permit tcp any host XX.XX.145.184 eq https log access-list 100 permit tcp any host mercury eq https log access-list 100 permit tcp any host mercury eq ftp-data log access-list 100 permit tcp any host mercury eq ftp log access-list 100 permit tcp any host mercury eq smtp log access-list 100 permit tcp any host mercury eq pop3 log access-list 100 permit tcp any host XX.XX.145.184 eq citrix-ica log access-list 100 permit udp any host XX.XX.145.184 eq 1604 log access-list 100 permit tcp any host XX.XX.145.185 eq citrix-ica log access-list 100 permit udp any host XX.XX.145.185 eq 1604 log access-list 100 permit tcp any host XX.XX.145.183 eq citrix-ica log access-list 100 permit udp any host XX.XX.145.183 eq 1604 log access-list 100 permit udp any host mercury gt 1023 log access-list 100 permit udp any host cobalt_outside gt 1023 log access-list 100 permit udp any host XX.XX.145.183 gt 1023 log access-list 100 permit udp any host XX.XX.145.184 gt 1023 log access-list 100 permit udp any host XX.XX.145.185 gt 1023 log access-list 100 permit tcp any host XX.XX.145.184 eq 3389 log access-list 100 permit tcp any host mercury eq 3389 log access-list 100 permit tcp any host cobalt_outside eq 3389 log access-list 100 permit tcp any host XX.XX.145.185 eq 3389 log access-list 100 permit tcp any host XX.XX.145.183 eq 3389 log access-list 100 permit tcp host XX.XX.145.180 any eq 3389 log access-list 100 permit tcp any host XX.XX.145.184 eq 631 log access-list 100 permit tcp any host XX.XX.145.180 eq https log access-list 100 permit tcp any eq https any access-list 100 permit tcp any host XX.XX.145.183 eq ftp-data log access-list 100 permit tcp any host XX.XX.145.183 eq ftp log access-list 100 permit icmp any any echo-reply log access-list 100 permit icmp any any time-exceeded log access-list 100 permit icmp any any unreachable log access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0 RMW_Inside 255.255.255.0 access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0 RE_Inside 255.255.255.0 access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0 host XX.XX.145.183 access-list outside_cryptomap_20 permit ip 172.17.2.0 255.255.255.0 RE_Inside 255.255.255.0 access-list outside_cryptomap_30 permit ip 172.17.2.0 255.255.255.0 RMW_Inside 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 172.17.2.0 255.255.255.0 object-group Remote_Inside_Addrs pager lines 24 logging on logging timestamp logging trap debugging logging history informational logging device-id ipaddress inside logging host inside cobalt logging host inside 172.17.2.210 format emblem icmp permit host XX.XX.145.188 outside icmp permit host 172.17.2.210 outside icmp permit any echo-reply outside icmp permit 172.17.2.0 255.255.255.0 inside icmp permit host XX.XX.145.188 inside icmp permit host 172.17.2.210 inside mtu outside 1500 mtu inside 1500 ip address outside XX.XX.145.178 255.255.255.240 ip address inside 172.17.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location mercury 255.255.255.255 outside pdm location cobalt_outside 255.255.255.255 outside pdm group Remote_Inside_Addrs outside pdm logging informational 300 pdm history enable arp timeout 14400 global (outside) 1 XX.XX.145.188 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 0 mercury 255.255.255.255 0 0 nat (inside) 0 cobalt_outside 255.255.255.255 0 0 nat (inside) 0 silicon 255.255.255.255 0 0 nat (inside) 1 172.17.2.0 255.255.255.0 0 0 static (inside,outside) mercury 172.17.2.240 netmask 255.255.255.255 0

0 static (inside,outside) XX.XX.145.184 172.17.2.221 netmask 255.255.255.255 0 0 static (inside,outside) XX.XX.145.185 172.17.2.247 netmask 255.255.255.255 0 0 static (inside,outside) XX.XX.145.183 172.17.2.244 netmask 255.255.255.255 0 0 static (inside,outside) XX.XX.145.180 172.17.2.3 netmask 255.255.255.255 0 0 static (inside,outside) cobalt_outside cobalt netmask 255.255.255.255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 XX.XX.145.177 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authorization command LOCAL http server enable http 172.17.2.0 255.255.255.0 inside snmp-server host inside 172.17.2.1 snmp-server host inside 172.17.2.210 snmp-server host inside cobalt snmp-server location Arl. snmp-server contact rnorred snmp-server community look snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer XXX.XXX.23.187 crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address outside_cryptomap_30 crypto map outside_map 30 set peer XX.XXX.206.194 crypto map outside_map 30 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address XXX.XXX.23.187 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address XX.XXX.206.194 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet XX.XX.145.188 255.255.255.255 outside telnet 172.17.2.3 255.255.255.255 inside telnet 172.17.2.111 255.255.255.255 inside telnet 172.17.2.210 255.255.255.255 inside telnet timeout 5 ssh XXX.XXX.108.197 255.255.255.255 inside ssh timeout 5 management-access inside console timeout 0 username administrator password scribblyscrabbly encrypted privilege 15 username rnorred password scribblyscrabbly encrypted privilege 15 terminal width 80 Cryptochecksum:scribblyscrabbly : end [OK]
Reply to
rnorred
Loading thread data ...

Not an answer but before I moved to a GRE VPN, I use to experience the same thing on a router based IPSEC VPN.

In our case I belive it was because the only things NAT'd had to come from the INSIDE of the local network. The icmp packet (or telnet, etc) came from your local network, hits the local router and crosses the VPN to the remote router. The remote router attempts to respond to the request but since the packet is originating from within the router and used the external (closest to destination) interface, it never hits the VPN tunnel as the interesting traffic was set up on the inside interface.

I wonder if that made sense...

Regardless, until we moved to a GRE VPN, we had to use SSH to the outside interface to get into our routers remotely.

Reply to
Nick

Let me claify a bit. I am on network 172.17.2.0/24 this is where the PIX is homed that has the static nat entries. when I do a ping to these addresses should it follow this inside---(translation)--PIX--outside---router---outside---(same PIX)---translation to static nat---inside.

i know there are some rules about packets not wanting to enter an interface it just left so I am not sure this will work at all as configured.

any ideas???

Reply to
rnorred

This will not work because the PIX will NOT forward a packet out the same interface it came in from.

If you have the dns-server on the outside you can use outside nat or the alias command to doctor the dns replies.

Regards,

/TC

"rnorred" skrev i meddelandet news: snipped-for-privacy@g14g2000cwa.googlegroups.com...

Reply to
Tony "Swede" Clifton

In article , rnorred wrote: :First time setup of PIX flavor. Have corp and two remotes using VPN. :Everything is working great except from my inside network 172.17.2.X I :cannot access any of my inside static nat'd address like I used to with :the IOS 'ip nat inside source static' cmd.

You can't do that with PIX before PIX 7.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.