Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Nat/Pat-problem with pix 501

Reply
Thread Tools

Nat/Pat-problem with pix 501

 
 
Martin Edwards
Guest
Posts: n/a
 
      07-22-2004
Hi

I have a pix 501 with an outside interface x.x.x.69 and a inside
x.x.x.113, and the gateway out is x.x.x.65

The route has been set up with the following statements

route inside x.x.x.112 255.255.255.248 x.x.x.113
route outside x.x.x.64 255.255.255.248 x.x.x.69
route outside 0.0.0.0 0.0.0.0 x.x.x.65

I have set the global til use the interface

global (outside) 1 interface

and the nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The problem is that I can't connect to any outside addresses from the
inside network. I can however ping both the inside and the outside
networks from the pix itself.

Please help

/Martin
 
Reply With Quote
 
 
 
 
paul blitz
Guest
Posts: n/a
 
      07-22-2004
You need to define the IP address range to use... here's our's:

global (outside) 1 194.xxx.xxx.101-194.216.203.120
global (outside) 1 194.xxx.xxx.121

The first sets up 20 NAT addresses, the second sets up a PAT address for
when the NAT pool runs out.

The "1" is the "nat id", and is the same as the "1" in your "nat (inside) 1
0.0.0.0 0.0.0.0 0 0" (which basically says to apply NAT to ANY address
coming in on the "inside" interface), and is the thing that hooks the two
together.

Does that help?


Paul Blitz



"Martin Edwards" <(E-Mail Removed)> wrote in message
news:Xns952E7997D2596whome@82.211.192.157...
> Hi
>
> I have a pix 501 with an outside interface x.x.x.69 and a inside
> x.x.x.113, and the gateway out is x.x.x.65
>
> The route has been set up with the following statements
>
> route inside x.x.x.112 255.255.255.248 x.x.x.113
> route outside x.x.x.64 255.255.255.248 x.x.x.69
> route outside 0.0.0.0 0.0.0.0 x.x.x.65
>
> I have set the global til use the interface
>
> global (outside) 1 interface
>
> and the nat
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> The problem is that I can't connect to any outside addresses from the
> inside network. I can however ping both the inside and the outside
> networks from the pix itself.
>
> Please help
>
> /Martin



 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      07-22-2004
Your nat configuration is correct. I would remove the second route
statement. I don't know what the first route statement is for. The next
hop ip is in the ip range, so I think this is also useless. Also, be aware
that you can probably not send pings through the pix by default (the echo
replies usually won't come back through) and check any outbound acl's.


"Martin Edwards" <(E-Mail Removed)> wrote in message
news:Xns952E7997D2596whome@82.211.192.157...
> Hi
>
> I have a pix 501 with an outside interface x.x.x.69 and a inside
> x.x.x.113, and the gateway out is x.x.x.65
>
> The route has been set up with the following statements
>
> route inside x.x.x.112 255.255.255.248 x.x.x.113
> route outside x.x.x.64 255.255.255.248 x.x.x.69
> route outside 0.0.0.0 0.0.0.0 x.x.x.65
>
> I have set the global til use the interface
>
> global (outside) 1 interface
>
> and the nat
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> The problem is that I can't connect to any outside addresses from the
> inside network. I can however ping both the inside and the outside
> networks from the pix itself.
>
> Please help
>
> /Martin



 
Reply With Quote
 
Martin Edwards
Guest
Posts: n/a
 
      07-22-2004
Hi, thanks for the quick reply - I tried changing the global to use
another ip than the interface, with no luck. The second route entry is
the one that the pix has made itself to be able to connect to the network
that the pix itself is connected to. I have made an test webserver on the
outside net with an ip x.x.x.66 and I can't connect to this, not with
telnet or i-explorer. The x.x.x.y network is 130.225.90.y is this makes
any difference.

/Martin


"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in
news:40ff93e7$(E-Mail Removed):

> Your nat configuration is correct. I would remove the second route
> statement. I don't know what the first route statement is for. The
> next hop ip is in the ip range, so I think this is also useless.
> Also, be aware that you can probably not send pings through the pix by
> default (the echo replies usually won't come back through) and check
> any outbound acl's.
>
>
> "Martin Edwards" <(E-Mail Removed)> wrote in message
> news:Xns952E7997D2596whome@82.211.192.157...
>> Hi
>>
>> I have a pix 501 with an outside interface x.x.x.69 and a inside
>> x.x.x.113, and the gateway out is x.x.x.65
>>
>> The route has been set up with the following statements
>>
>> route inside x.x.x.112 255.255.255.248 x.x.x.113
>> route outside x.x.x.64 255.255.255.248 x.x.x.69
>> route outside 0.0.0.0 0.0.0.0 x.x.x.65
>>
>> I have set the global til use the interface
>>
>> global (outside) 1 interface
>>
>> and the nat
>>
>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0


 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      07-22-2004
>> I have a pix 501 with an outside interface x.x.x.69 and a inside
>> x.x.x.113, and the gateway out is x.x.x.65 The x.x.x.y network is

130.225.90.y

What netmask are you using ? Looks like your inside and outside are part of
the same subnet.

Remove the 2 first route statement , they make no sense and they my cause
the problem

Try pinging the gateway from the outside
ping outside x.x.x.65

Try pinging a valid address on the internet (wich answers to ping)
ping outside 164.109.59.132




"Martin Edwards" <(E-Mail Removed)> wrote in message
news:Xns952E8143942ECwhome@82.211.192.157...
> Hi, thanks for the quick reply - I tried changing the global to use
> another ip than the interface, with no luck. The second route entry is
> the one that the pix has made itself to be able to connect to the network
> that the pix itself is connected to. I have made an test webserver on the
> outside net with an ip x.x.x.66 and I can't connect to this, not with
> telnet or i-explorer. The x.x.x.y network is 130.225.90.y is this makes
> any difference.
>
> /Martin
>
>
> "PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in
> news:40ff93e7$(E-Mail Removed):
>
> > Your nat configuration is correct. I would remove the second route
> > statement. I don't know what the first route statement is for. The
> > next hop ip is in the ip range, so I think this is also useless.
> > Also, be aware that you can probably not send pings through the pix by
> > default (the echo replies usually won't come back through) and check
> > any outbound acl's.
> >
> >
> > "Martin Edwards" <(E-Mail Removed)> wrote in message
> > news:Xns952E7997D2596whome@82.211.192.157...
> >> Hi
> >>
> >> I have a pix 501 with an outside interface x.x.x.69 and a inside
> >> x.x.x.113, and the gateway out is x.x.x.65
> >>
> >> The route has been set up with the following statements
> >>
> >> route inside x.x.x.112 255.255.255.248 x.x.x.113
> >> route outside x.x.x.64 255.255.255.248 x.x.x.69
> >> route outside 0.0.0.0 0.0.0.0 x.x.x.65
> >>
> >> I have set the global til use the interface
> >>
> >> global (outside) 1 interface
> >>
> >> and the nat
> >>
> >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

>



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-22-2004
In article <Xns952E7997D2596whome@82.211.192.157>,
Martin Edwards <(E-Mail Removed)> wrote:
:I have a pix 501 with an outside interface x.x.x.69 and a inside
.x.x.113, and the gateway out is x.x.x.65

:The route has been set up with the following statements

: route inside x.x.x.112 255.255.255.248 x.x.x.113
: route outside x.x.x.64 255.255.255.248 x.x.x.69
: route outside 0.0.0.0 0.0.0.0 x.x.x.65

Those look fine so far. Ignore the people saying that they might be on
the same subnet -- .112 +/- 8 addresses is never going to be in the
same subnet as .64 +/- 8


:I have set the global til use the interface
: global (outside) 1 interface
:and the nat
: nat (inside) 1 0.0.0.0 0.0.0.0 0 0

That looks fine too.


:The problem is that I can't connect to any outside addresses from the
:inside network. I can however ping both the inside and the outside
:networks from the pix itself.

x.x.x.112 255.255.255.248 is not the factory default inside address, so
you have changed something about the configuration. Given your symptoms
it seems most likely that you have an access-list that you have applied
to the inside interface using the command
access-group XXX in interface inside
That access list XXX would control what you would be allowed to send
to the outside, and anything not listed as permitted would be denied.

If you do not have an access-group applied to the inside at all, I
would suggest commanding clear xlate from configuration mode.
--
csh is bad drugs.
 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      07-22-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cdon2i$2v0$(E-Mail Removed)...
> In article <Xns952E7997D2596whome@82.211.192.157>,
> Martin Edwards <(E-Mail Removed)> wrote:
> :I have a pix 501 with an outside interface x.x.x.69 and a inside
> .x.x.113, and the gateway out is x.x.x.65
>
> :The route has been set up with the following statements
>
> : route inside x.x.x.112 255.255.255.248 x.x.x.113
> : route outside x.x.x.64 255.255.255.248 x.x.x.69
> : route outside 0.0.0.0 0.0.0.0 x.x.x.65
>
> Those look fine so far. Ignore the people saying that they might be on
> the same subnet -- .112 +/- 8 addresses is never going to be in the
> same subnet as .64 +/- 8


Walter,
Since x.x.x.113 is the inside interface address , can you explain to me
the reason for the PIX to route a subnet to itself.
Same thing for the second statement, x.x.x.69 is the IP of the outside
interface

Michel




 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-22-2004
In article <zZSLc.107974$eO.41052@edtnps89>,
mcaissie <(E-Mail Removed)> wrote:
|"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
|news:cdon2i$2v0$(E-Mail Removed)...
|> In article <Xns952E7997D2596whome@82.211.192.157>,
|> Martin Edwards <(E-Mail Removed)> wrote:
|> : route inside x.x.x.112 255.255.255.248 x.x.x.113
|> : route outside x.x.x.64 255.255.255.248 x.x.x.69
|> : route outside 0.0.0.0 0.0.0.0 x.x.x.65

|> Those look fine so far. Ignore the people saying that they might be on
|> the same subnet -- .112 +/- 8 addresses is never going to be in the
|> same subnet as .64 +/- 8


|Since x.x.x.113 is the inside interface address , can you explain to me
|the reason for the PIX to route a subnet to itself.
|Same thing for the second statement, x.x.x.69 is the IP of the outside
|interface

It's automatic. Those are routes that would show up as 'CONNECT static'
via "show route". It's just saying that hosts in x.x.x.112/29 are expected
to be directly reachable from the pix inside interface without any
further routing. If you needed further routing to get to hosts in that
subnet, then pretty much by definition, those hosts would not be in
the same subnet after-all.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments