1. Home
  2. Cisco Systems
  3. NAT problems with a PIX 515

NAT problems with a PIX 515

We upgraded our PIX 515 from 6.3 to 7.0, and in the process lost our ability to move packets between interfaces. The problem is our NAT configuration. Under 6.3 we used the equivalent of static NAT so we could use the addresses inside as out. Under 7.0 we want to use NAT exemption. That is, we want to use the same addresses inside the firewall as outside, and not do any address translation. Currently, we don't get any packets to cross between interfaces.

Here is the configuration, which I've simplified, I've taken out reference to the 3rd interface, and other stuff not relevant to the problem at hand. After we get it working between inside and outside, adding the DMZ will be trivial.

Thanks in advance for any suggestions.

B Squared

-----------------------------------------------

PIX Version 7.0(2)

names ! interface Ethernet0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.0

! interface Ethernet1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.0

! hostname pixfirewall domain-name ourdomain.net

ftp mode passive

! I used the ASDM to create these access lists, you'd think they ! would be legit

access-list inside_nat0_outbound extended permit ip X.X.X.0 255.255.255.0 any access-list outside_nat0_inbound extended permit ip any X.X.X.0 255.255.255.0

! Here's the rest of the NAT stuff, also generated by the ASDM

nat-control nat (outside) 0 access-list outside_nat0_inbound outside nat (inside) 0 access-list inside_nat0_outbound

! Everything else is just the routine stuff, and is the default ! configuration for the PIX 515

pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500

monitor-interface outside monitor-interface inside

asdm image flash:/asdm-502.bin no asdm history enable arp timeout 14400

route inside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

! the stuff that allows us to use ASDM http server enable http X.X.X.X 255.255.255.255 inside

no snmp-server location no snmp-server contact snmp-server enable traps snmp

telnet timeout 5 ssh timeout 5 console timeout 0

class-map inspection_default match default-inspection-traffic

policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global

: end

Reply to
"B Squared"
Loading thread data ...

[...]

What about something like: static (inside,outside) X.X.X.0 X.X.X.0 netmask 255.255.255.0 Regards, Christoph Gartmann

Reply to
Christoph Gartmann

This is pretty good idea. We were using this method under 6.3. It has the disadvantage that if the networks on the inside, or outside, are not contigious, then you need a line for each inside / outside mapping. Our networks are close enough to contigous this was not problem. But I wanted to move to NAT exemption, because it seemed like cleaner solution.

There was one other with the above method, when we switched to 7.0, it no longer worked, and this kinda bugged me. Our case is simple enough that the method you suggest should work fine, and converting to NAT exemption was mostly an academic exercise. I'm still trying to figure out what the deal was, thus this posting.

B Squared

Reply to
"B Squared"

You do not need this: nat (outside) 0 access-list outside_nat0_inbound outside

also ensure ACLs applied on the outside interface to allow outside to inside traffic

Reply to
Cen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.