Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Problem with NAt and Cisco PIX

Reply
Thread Tools

Problem with NAt and Cisco PIX

 
 
Tony
Guest
Posts: n/a
 
      12-05-2003
I cannt seem to be able to get NAT to work with the config below.

Can someone please help

-----------------------

: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name xxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside dhcp setroute
ip address inside 10.10.10.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group 101 in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.2-10.10.10.10 inside
dhcpd dns xxxxxxxxxxxxxxxxxxx
dhcpd wins xxxxxxxxxxxxxxxxxxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxxxxxxxxxxxxx
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:9e4b492cd9834ae682ac76f0d05367d0
: end



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-05-2003
In article <bqr3e2$3qq$(E-Mail Removed)>,
Tony <(E-Mail Removed)> wrote:
:I cannt seem to be able to get NAT to work with the config below.

What symptoms are you encountering?

;PIX Version 6.2(1)

:access-list 101 permit ip any any
:access-list 101 permit icmp any any

icmp is a subset of ip, so you do not need both.

:access-list 100 permit icmp any any echo-reply
:access-list 100 permit icmp any any time-exceeded
:access-list 100 permit icmp any any unreachable

You are not using access-list 100

:ip address outside dhcp setroute
:ip address inside 10.10.10.1 255.255.255.0

:global (outside) 1 interface
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Those should be okay.

:access-group 101 in interface outside
:access-group 101 in interface inside

You can run into subtle problems with using the same access list for
two purposes.

You probably do not want to permit ip any any to the inside.
Perhaps you wanted access-group 100 in interface outside

:icmp permit any outside
:icmp permit any inside

It can be dangerous (in a security sense) to allow your PIX to respond
to arbitrary icmp packets from the 'net.


I do not see any problems with your NAT, unless perhaps using the same
access-list number is a problem. What do you see that is not working?
--
When your posts are all alone / and a user's on the phone/
there's one place to check -- / Upstream!
When you're in a hurry / and propagation is a worry/
there's a place you can post -- / Upstream!
 
Reply With Quote
 
 
 
 
Tony
Guest
Posts: n/a
 
      12-05-2003
My internal host 10.10.10.2 cannot get out to the net

it can ping the internal interface 10.10.10.1 though


"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:bqr58s$qka$(E-Mail Removed)...
> In article <bqr3e2$3qq$(E-Mail Removed)>,
> Tony <(E-Mail Removed)> wrote:
> :I cannt seem to be able to get NAT to work with the config below.
>
> What symptoms are you encountering?
>
> ;PIX Version 6.2(1)
>
> :access-list 101 permit ip any any
> :access-list 101 permit icmp any any
>
> icmp is a subset of ip, so you do not need both.
>
> :access-list 100 permit icmp any any echo-reply
> :access-list 100 permit icmp any any time-exceeded
> :access-list 100 permit icmp any any unreachable
>
> You are not using access-list 100
>
> :ip address outside dhcp setroute
> :ip address inside 10.10.10.1 255.255.255.0
>
> :global (outside) 1 interface
> :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> Those should be okay.
>
> :access-group 101 in interface outside
> :access-group 101 in interface inside
>
> You can run into subtle problems with using the same access list for
> two purposes.
>
> You probably do not want to permit ip any any to the inside.
> Perhaps you wanted access-group 100 in interface outside
>
> :icmp permit any outside
> :icmp permit any inside
>
> It can be dangerous (in a security sense) to allow your PIX to respond
> to arbitrary icmp packets from the 'net.
>
>
> I do not see any problems with your NAT, unless perhaps using the same
> access-list number is a problem. What do you see that is not working?
> --
> When your posts are all alone / and a user's on the phone/
> there's one place to check -- / Upstream!
> When you're in a hurry / and propagation is a worry/
> there's a place you can post -- / Upstream!



 
Reply With Quote
 
Chris
Guest
Posts: n/a
 
      12-07-2003

"Tony" <(E-Mail Removed)> wrote in message
news:bqr5g3$63v$(E-Mail Removed)...
> My internal host 10.10.10.2 cannot get out to the net
>
> it can ping the internal interface 10.10.10.1 though
>


Does this host have a default gateway set?

Chris.


 
Reply With Quote
 
JOE CAMPOS
Guest
Posts: n/a
 
      12-08-2003
Scenario:
we have 13 floors in our building. All the floors come down into the same
switch via gig links. Each floor is an individual subnet vlan. That switch
then communicates to other server farm switches via a gig uplink. The
problem we want to remedy is how to keep workstations that are infected with
Blaster or future variants from "blasting" each from floor-to-floor. By this
I mean, if we have infected machines on the 5th floor then they will bombard
clients on the other floors. What is the best way to contain this situation?
Should I use the IDSM-2 to shun these attacks via dynamic VACLs or should I
use NBAR for this situation or even just private vlans?? Of course private
vlans will only help on each respective vlan subnet. Also, If I use NBAR
(IDSM-2 too??) will it block all good traffic as well? I know with NBAR I
Can have it drop traffic altogether which is the ultimate goal. I have read
the following SAFE document and it is very good but it still leaves many
questions unanswered. There is an NBAR sample config there as well.
http://www.cisco.com/en/US/netsol/ns...orking_solutio
ns_white_paper09186a00801b2391.shtml



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 501 and ISA 20004 - Pix for DSL PPPOE only and no NAT... Terry Cole Cisco 0 01-18-2007 02:27 PM
Cisco 1801 - ADSL/PPPoE - IPSec - Static NAT ---- 56K Dial Backup - NAT Overload skweetis Cisco 0 12-11-2006 04:33 PM
PIX - mixing "nat 0 access-list" with nat/global pools Matthew Melbourne Cisco 2 02-12-2005 03:17 PM
tftp to srvr behind pix: use nat or no-nat? Jose Cisco 3 10-24-2004 02:42 PM
PIX Policy NAT: order of NAT commands Oleg Tipisov Cisco 4 08-13-2004 07:13 PM



Advertisments