Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Hardware (http://www.velocityreviews.com/forums/f5-hardware.html)
-   -   Cisco Pix 525 - Static Nat not working to internal IP (http://www.velocityreviews.com/forums/t740498-cisco-pix-525-static-nat-not-working-to-internal-ip.html)

kylebelz 12-20-2010 07:08 PM

Cisco Pix 525 - Static Nat not working to internal IP
 
I just posted this in General and I believe it should have been posted here.

Sorry about that

again any help would be appreciated

Thanks!

Hi All

I am new to this discussion forum. Not sure if I am in the right place for my question but I will give this a shot.

I've recently installed a PIX 525 with 8.0 (4)

I have set up all my access lists and routes and Nat like I have done in the past but for some reason I can not ping or get any traffic through to one of my internal IP's

Pix is at my local NOC and then my servers are at my remote office.

PIX internal is 10.0.1.2, Managed router at NOC 10.0.1.1
remote office 192.168.2.0 adtran router 192.168.2.1

as you can see from my config I have everything in place but when I do a ping from the outside world I get
icmp echo request untranslating outside.x.x.x to inside.x.x.x

I've had done everything I can think of. Can someone look at the config and tell me if there is any obvious issues?

Thanks in advance
Kyle


: Saved
: Written by enable_15 at 10:44:12.839 EST Mon Dec 20 2010
!
PIX Version 8.0(4)
!
hostname CSIpixG4
domain-name x.local
enable password tCesJLFl4nZG7Vsm encrypted
passwd 891Oy23Vg19EaLeL encrypted
names
name 172.16.100.0 VPNSub
name 192.168.2.22 csinas description csinas
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.51.18 255.255.255.240
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.1.2 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif intf3
security-level 15
no ip address
ospf cost 10
!
interface Ethernet3
shutdown
nameif intf4
security-level 20
no ip address
ospf cost 10
!
interface Ethernet4
shutdown
nameif intf5
security-level 25
no ip address
ospf cost 10
!
interface GigabitEthernet0
shutdown
nameif intf2
security-level 10
no ip address
ospf cost 10
!
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.13
name-server 192.168.2.20
domain-name csi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_outbound_nat0_acl extended permit ip any any
access-list inside_outbound_nat0_acl extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply log errors
access-list outside_access_in extended permit ip VPNSub 255.255.255.0 any
access-list outside_access_in extended permit icmp VPNSub 255.255.255.0 any
access-list outside_access_in extended permit tcp any host x.x.51.19 eq ftp log errors
access-list outside_access_in extended permit tcp any host x.x.51.19 eq www log errors
access-list outside_access_in extended permit icmp any any echo log errors
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq nntp
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip any VPNSub 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host csinas
access-list inside_nat0_outbound extended permit icmp any host csinas log debugging
access-list G4pixCSIspACL standard permit host 192.168.0.0
access-list G4pixCSIspACL standard permit host 10.0.1.0
access-list DefaultRAGroup_splitTunnelAcl standard permit x.x.51.16 255.255.255.240
access-list 80 extended permit ip any VPNSub 255.255.255.0
access-list 80 extended permit icmp any host csinas
access-list 200 extended permit icmp any any echo-reply
access-list 200 extended permit icmp any any
access-list 200 extended permit tcp any host x.x.51.19 eq ftp
access-list 200 extended permit tcp any any eq ftp
pager lines 24
logging enable
logging console debugging
logging asdm informational
logging class auth console emergencies
mtu outside 1500
mtu inside 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf2 1500
ip local pool VPN-IP-POOL 172.16.100.1-172.16.100.50 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/pdm
asdm location VPNSub 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.51.19 csinas netmask 255.255.255.255
static (inside,outside) x.x.51.21 192.168.2.19 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.51.17 1
route inside 192.168.1.0 255.255.255.0 10.0.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.1.1 1
route inside 192.168.3.0 255.255.255.0 10.0.1.1 1
route inside 192.168.4.0 255.255.255.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
network-acl inside_access_in
network-acl 80
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 4 set security-association lifetime seconds 28800
crypto dynamic-map cisco 4 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map partner-map 20 set security-association lifetime seconds 28800
crypto map partner-map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.0.0.0 255.0.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.13
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.13
ip-comp enable
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value G4pixCSIspACL
group-policy G4pixCSIvpn internal
group-policy G4pixCSIvpn attributes
dns-server value 192.168.2.13 192.168.2.20
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value G4pixCSIspACL
default-domain value CSI
username admcna password 2PmyRhKDooobsfLN encrypted
username kbelz password jYb./qhqBZJqLT44 encrypted privilege 0
username kbelz attributes
vpn-group-policy G4pixCSIvpn
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-IP-POOL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key cisco123
radius-sdi-xauth
tunnel-group G4pixCSIvpn type remote-access
tunnel-group G4pixCSIvpn general-attributes
address-pool VPN-IP-POOL
tunnel-group G4pixCSIvpn ipsec-attributes
pre-shared-key Ye3ll65$z
!
class-map inspection_default1
match default-inspection-traffic
class-map inspection_default
!
!
policy-map global_policy
class inspection_default1
inspect icmp error
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9a05ab798024d417c51a8a4e5a95be66
: end

2k05gt 12-21-2010 06:58 PM

1 Attachment(s)
Review the attached files you have some errors in the config.
I seporated the ACL's in a Excel CSV file this will give you a better look at whats going on.

I will look it over more to see if I can spot something

kylebelz 12-21-2010 07:01 PM

Thanks for your reply

it ended up being what I had a feeling it was. My telco had the wrong default route in at my sites where I was trying to nat to.

Now that that is working I am working on getting the VPN clients to work. they can connect but no traffic passes. I'm looking at my ACL's again.

Thanks

Kyle


All times are GMT. The time now is 04:34 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.