Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

Reply
Thread Tools

PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

 
 
James
Guest
Posts: n/a
 
      08-23-2006
>The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
>entered to forward all ports to the WAN of the PIX.. This is what you mean
>right...?


I don't know the Zyxel device at all however if it was a Cisco device I
would NAT the Public IP to the PIX's Outside Interface IP.

 
Reply With Quote
 
 
 
 
Michiel
Guest
Posts: n/a
 
      08-23-2006
Yes i understand you, that is what i have done... so you are sure that the
PIX is configured correctly...? Because then i really have to get in hard
discussion with Valadis/Zyxel Netherlands, because of the not good working
DMZ (NAT) function in combination of an PIX... because the strange thing is
here, that when i have an cable router in the network instead of the PIX
then it is working good... so my logic was it is the PIX not functioning
good.

I will post again when i have more info... wich will probably later on the
day... ...

Thanks for your time!

Suncerely,
Michiel


"James" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) ups.com...
> >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
>>entered to forward all ports to the WAN of the PIX.. This is what you mean
>>right...?

>
> I don't know the Zyxel device at all however if it was a Cisco device I
> would NAT the Public IP to the PIX's Outside Interface IP.
>



 
Reply With Quote
 
 
 
 
James
Guest
Posts: n/a
 
      08-23-2006
Can you connect a hub or switch between the Zyxel and PIX and use
Ethereal or similar to see if traffic is even arriving at the PIX? If
you use a switch remember that you will have to use the Span / Port
Mirror feature.

Alternatively, the PIX has some sort of packet capture feature which
can be used:-

http://www.cisco.com/en/US/products/...html#wp1038055

I haven't tried it though.

Also enable logging to the PIX's internal buffer, you may get a message
indicating the problem.

James

Michiel wrote:
> Yes i understand you, that is what i have done... so you are sure that the
> PIX is configured correctly...? Because then i really have to get in hard
> discussion with Valadis/Zyxel Netherlands, because of the not good working
> DMZ (NAT) function in combination of an PIX... because the strange thing is
> here, that when i have an cable router in the network instead of the PIX
> then it is working good... so my logic was it is the PIX not functioning
> good.
>
> I will post again when i have more info... wich will probably later on the
> day... ...
>
> Thanks for your time!
>
> Suncerely,
> Michiel
>
>
> "James" <(E-Mail Removed)> schreef in bericht
> news:(E-Mail Removed) ups.com...
> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
> >>entered to forward all ports to the WAN of the PIX.. This is what you mean
> >>right...?

> >
> > I don't know the Zyxel device at all however if it was a Cisco device I
> > would NAT the Public IP to the PIX's Outside Interface IP.
> >


 
Reply With Quote
 
SAto
Guest
Posts: n/a
 
      08-23-2006

Michiel skrev:
> I am not sure about this...
>
> I don't understand the part
>
> > To do what you need to do create a translation on your Modem to another
> > IP - you can't use the PIX's outside interface address for this.


You could change the network between the pix and the zyxel to be a /29
network instead of a /30 that way you could static nat a new ip address
for the server, instead of pat'ing the pix outside address. that way
the only thing you'd have to worry about would be access rules working
and not the pating.

-SAto

 
Reply With Quote
 
Michiel
Guest
Posts: n/a
 
      08-23-2006
Ok! Thanks!

I just called Zyxel, and they have another option wich is to not use the DMZ
but simply forward the portrange of 1 to 65535. So i will try that first...
then i will try your option using packet sniffer to see if in deed the
data is getting to the PIX...

Thanks!...

Sincerely,
Michiel


"James" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) oups.com...
> Can you connect a hub or switch between the Zyxel and PIX and use
> Ethereal or similar to see if traffic is even arriving at the PIX? If
> you use a switch remember that you will have to use the Span / Port
> Mirror feature.
>
> Alternatively, the PIX has some sort of packet capture feature which
> can be used:-
>
> http://www.cisco.com/en/US/products/...html#wp1038055
>
> I haven't tried it though.
>
> Also enable logging to the PIX's internal buffer, you may get a message
> indicating the problem.
>
> James
>
> Michiel wrote:
>> Yes i understand you, that is what i have done... so you are sure that
>> the
>> PIX is configured correctly...? Because then i really have to get in hard
>> discussion with Valadis/Zyxel Netherlands, because of the not good
>> working
>> DMZ (NAT) function in combination of an PIX... because the strange thing
>> is
>> here, that when i have an cable router in the network instead of the PIX
>> then it is working good... so my logic was it is the PIX not functioning
>> good.
>>
>> I will post again when i have more info... wich will probably later on
>> the
>> day... ...
>>
>> Thanks for your time!
>>
>> Suncerely,
>> Michiel
>>
>>
>> "James" <(E-Mail Removed)> schreef in bericht
>> news:(E-Mail Removed) ups.com...
>> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
>> > >host
>> >>entered to forward all ports to the WAN of the PIX.. This is what you
>> >>mean
>> >>right...?
>> >
>> > I don't know the Zyxel device at all however if it was a Cisco device I
>> > would NAT the Public IP to the PIX's Outside Interface IP.
>> >

>



 
Reply With Quote
 
Michiel
Guest
Posts: n/a
 
      08-23-2006
I forgot to tell something very important in the situation...

I said that no traffic is comming through nat at the server... only 1 thing
is working good VPN... VPN is no problem... i forgot this because another
server was already connected through VPN without me testing it, because the
other things like WEB SMTP etc. were not working...

That is also the reason why i still have the feeling the problem should be
in the PIX...

Anyone knows a logic explenation for this...? ...

Sincerely,
Michiel


"James" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) oups.com...
> Can you connect a hub or switch between the Zyxel and PIX and use
> Ethereal or similar to see if traffic is even arriving at the PIX? If
> you use a switch remember that you will have to use the Span / Port
> Mirror feature.
>
> Alternatively, the PIX has some sort of packet capture feature which
> can be used:-
>
> http://www.cisco.com/en/US/products/...html#wp1038055
>
> I haven't tried it though.
>
> Also enable logging to the PIX's internal buffer, you may get a message
> indicating the problem.
>
> James
>
> Michiel wrote:
>> Yes i understand you, that is what i have done... so you are sure that
>> the
>> PIX is configured correctly...? Because then i really have to get in hard
>> discussion with Valadis/Zyxel Netherlands, because of the not good
>> working
>> DMZ (NAT) function in combination of an PIX... because the strange thing
>> is
>> here, that when i have an cable router in the network instead of the PIX
>> then it is working good... so my logic was it is the PIX not functioning
>> good.
>>
>> I will post again when i have more info... wich will probably later on
>> the
>> day... ...
>>
>> Thanks for your time!
>>
>> Suncerely,
>> Michiel
>>
>>
>> "James" <(E-Mail Removed)> schreef in bericht
>> news:(E-Mail Removed) ups.com...
>> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
>> > >host
>> >>entered to forward all ports to the WAN of the PIX.. This is what you
>> >>mean
>> >>right...?
>> >
>> > I don't know the Zyxel device at all however if it was a Cisco device I
>> > would NAT the Public IP to the PIX's Outside Interface IP.
>> >

>



 
Reply With Quote
 
James
Guest
Posts: n/a
 
      08-23-2006
Strange....

Have you turned on the PIX's logging? If so do a show log and paste
the results here.

Try "clear xlate" and see if that helps at all. Cisco recommend that
you do a clear xlate after every change to the PIX config.

Failing that if you let me know the Public IP I can run some tests from
here.

James

Michiel wrote:

> I forgot to tell something very important in the situation...
>
> I said that no traffic is comming through nat at the server... only 1 thing
> is working good VPN... VPN is no problem... i forgot this because another
> server was already connected through VPN without me testing it, because the
> other things like WEB SMTP etc. were not working...
>
> That is also the reason why i still have the feeling the problem should be
> in the PIX...
>
> Anyone knows a logic explenation for this...? ...
>
> Sincerely,
> Michiel
>
>
> "James" <(E-Mail Removed)> schreef in bericht
> news:(E-Mail Removed) oups.com...
> > Can you connect a hub or switch between the Zyxel and PIX and use
> > Ethereal or similar to see if traffic is even arriving at the PIX? If
> > you use a switch remember that you will have to use the Span / Port
> > Mirror feature.
> >
> > Alternatively, the PIX has some sort of packet capture feature which
> > can be used:-
> >
> > http://www.cisco.com/en/US/products/...html#wp1038055
> >
> > I haven't tried it though.
> >
> > Also enable logging to the PIX's internal buffer, you may get a message
> > indicating the problem.
> >
> > James
> >
> > Michiel wrote:
> >> Yes i understand you, that is what i have done... so you are sure that
> >> the
> >> PIX is configured correctly...? Because then i really have to get in hard
> >> discussion with Valadis/Zyxel Netherlands, because of the not good
> >> working
> >> DMZ (NAT) function in combination of an PIX... because the strange thing
> >> is
> >> here, that when i have an cable router in the network instead of the PIX
> >> then it is working good... so my logic was it is the PIX not functioning
> >> good.
> >>
> >> I will post again when i have more info... wich will probably later on
> >> the
> >> day... ...
> >>
> >> Thanks for your time!
> >>
> >> Suncerely,
> >> Michiel
> >>
> >>
> >> "James" <(E-Mail Removed)> schreef in bericht
> >> news:(E-Mail Removed) ups.com...
> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
> >> > >host
> >> >>entered to forward all ports to the WAN of the PIX.. This is what you
> >> >>mean
> >> >>right...?
> >> >
> >> > I don't know the Zyxel device at all however if it was a Cisco device I
> >> > would NAT the Public IP to the PIX's Outside Interface IP.
> >> >

> >


 
Reply With Quote
 
Michiel
Guest
Posts: n/a
 
      08-23-2006
Ok right now i am not able to change cables phisical, so later on the day i
could change the things... i am able to connect to turn on the logging.

Wich logging should i enable...? because i am mostly configuring it from
PDM... wich seems to be very simple and straight... though some things i
change through the console...

Sincerely,
Michiel

"James" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) ups.com...
> Strange....
>
> Have you turned on the PIX's logging? If so do a show log and paste
> the results here.
>
> Try "clear xlate" and see if that helps at all. Cisco recommend that
> you do a clear xlate after every change to the PIX config.
>
> Failing that if you let me know the Public IP I can run some tests from
> here.
>
> James
>
> Michiel wrote:
>
>> I forgot to tell something very important in the situation...
>>
>> I said that no traffic is comming through nat at the server... only 1
>> thing
>> is working good VPN... VPN is no problem... i forgot this because another
>> server was already connected through VPN without me testing it, because
>> the
>> other things like WEB SMTP etc. were not working...
>>
>> That is also the reason why i still have the feeling the problem should
>> be
>> in the PIX...
>>
>> Anyone knows a logic explenation for this...? ...
>>
>> Sincerely,
>> Michiel
>>
>>
>> "James" <(E-Mail Removed)> schreef in bericht
>> news:(E-Mail Removed) oups.com...
>> > Can you connect a hub or switch between the Zyxel and PIX and use
>> > Ethereal or similar to see if traffic is even arriving at the PIX? If
>> > you use a switch remember that you will have to use the Span / Port
>> > Mirror feature.
>> >
>> > Alternatively, the PIX has some sort of packet capture feature which
>> > can be used:-
>> >
>> > http://www.cisco.com/en/US/products/...html#wp1038055
>> >
>> > I haven't tried it though.
>> >
>> > Also enable logging to the PIX's internal buffer, you may get a message
>> > indicating the problem.
>> >
>> > James
>> >
>> > Michiel wrote:
>> >> Yes i understand you, that is what i have done... so you are sure that
>> >> the
>> >> PIX is configured correctly...? Because then i really have to get in
>> >> hard
>> >> discussion with Valadis/Zyxel Netherlands, because of the not good
>> >> working
>> >> DMZ (NAT) function in combination of an PIX... because the strange
>> >> thing
>> >> is
>> >> here, that when i have an cable router in the network instead of the
>> >> PIX
>> >> then it is working good... so my logic was it is the PIX not
>> >> functioning
>> >> good.
>> >>
>> >> I will post again when i have more info... wich will probably later on
>> >> the
>> >> day... ...
>> >>
>> >> Thanks for your time!
>> >>
>> >> Suncerely,
>> >> Michiel
>> >>
>> >>
>> >> "James" <(E-Mail Removed)> schreef in bericht
>> >> news:(E-Mail Removed) ups.com...
>> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
>> >> > >DMZ
>> >> > >host
>> >> >>entered to forward all ports to the WAN of the PIX.. This is what
>> >> >>you
>> >> >>mean
>> >> >>right...?
>> >> >
>> >> > I don't know the Zyxel device at all however if it was a Cisco
>> >> > device I
>> >> > would NAT the Public IP to the PIX's Outside Interface IP.
>> >> >
>> >

>



 
Reply With Quote
 
James
Guest
Posts: n/a
 
      08-23-2006
logging on
logging timestamp
logging buffered notifications

should do it. If it is a translation problem then the PIX should log
it.



Michiel wrote:

> Ok right now i am not able to change cables phisical, so later on the day i
> could change the things... i am able to connect to turn on the logging.
>
> Wich logging should i enable...? because i am mostly configuring it from
> PDM... wich seems to be very simple and straight... though some things i
> change through the console...
>
> Sincerely,
> Michiel
>
> "James" <(E-Mail Removed)> schreef in bericht
> news:(E-Mail Removed) ups.com...
> > Strange....
> >
> > Have you turned on the PIX's logging? If so do a show log and paste
> > the results here.
> >
> > Try "clear xlate" and see if that helps at all. Cisco recommend that
> > you do a clear xlate after every change to the PIX config.
> >
> > Failing that if you let me know the Public IP I can run some tests from
> > here.
> >
> > James
> >
> > Michiel wrote:
> >
> >> I forgot to tell something very important in the situation...
> >>
> >> I said that no traffic is comming through nat at the server... only 1
> >> thing
> >> is working good VPN... VPN is no problem... i forgot this because another
> >> server was already connected through VPN without me testing it, because
> >> the
> >> other things like WEB SMTP etc. were not working...
> >>
> >> That is also the reason why i still have the feeling the problem should
> >> be
> >> in the PIX...
> >>
> >> Anyone knows a logic explenation for this...? ...
> >>
> >> Sincerely,
> >> Michiel
> >>
> >>
> >> "James" <(E-Mail Removed)> schreef in bericht
> >> news:(E-Mail Removed) oups.com...
> >> > Can you connect a hub or switch between the Zyxel and PIX and use
> >> > Ethereal or similar to see if traffic is even arriving at the PIX? If
> >> > you use a switch remember that you will have to use the Span / Port
> >> > Mirror feature.
> >> >
> >> > Alternatively, the PIX has some sort of packet capture feature which
> >> > can be used:-
> >> >
> >> > http://www.cisco.com/en/US/products/...html#wp1038055
> >> >
> >> > I haven't tried it though.
> >> >
> >> > Also enable logging to the PIX's internal buffer, you may get a message
> >> > indicating the problem.
> >> >
> >> > James
> >> >
> >> > Michiel wrote:
> >> >> Yes i understand you, that is what i have done... so you are sure that
> >> >> the
> >> >> PIX is configured correctly...? Because then i really have to get in
> >> >> hard
> >> >> discussion with Valadis/Zyxel Netherlands, because of the not good
> >> >> working
> >> >> DMZ (NAT) function in combination of an PIX... because the strange
> >> >> thing
> >> >> is
> >> >> here, that when i have an cable router in the network instead of the
> >> >> PIX
> >> >> then it is working good... so my logic was it is the PIX not
> >> >> functioning
> >> >> good.
> >> >>
> >> >> I will post again when i have more info... wich will probably later on
> >> >> the
> >> >> day... ...
> >> >>
> >> >> Thanks for your time!
> >> >>
> >> >> Suncerely,
> >> >> Michiel
> >> >>
> >> >>
> >> >> "James" <(E-Mail Removed)> schreef in bericht
> >> >> news:(E-Mail Removed) ups.com...
> >> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
> >> >> > >DMZ
> >> >> > >host
> >> >> >>entered to forward all ports to the WAN of the PIX.. This is what
> >> >> >>you
> >> >> >>mean
> >> >> >>right...?
> >> >> >
> >> >> > I don't know the Zyxel device at all however if it was a Cisco
> >> >> > device I
> >> >> > would NAT the Public IP to the PIX's Outside Interface IP.
> >> >> >
> >> >

> >


 
Reply With Quote
 
Michiel
Guest
Posts: n/a
 
      08-24-2006
Hello James and everyone...

I finally managed to get the PIX to work with the Zyxel... the problem was
in the Zyxel, somehow with some answerring IP's it is not forwarding the
ports but stealths them...

I am glad that the Zyxel will be replaced by an Cisco 876... ...

Thanks and many Thanks for all the good input!

Michiel




"James" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> logging on
> logging timestamp
> logging buffered notifications
>
> should do it. If it is a translation problem then the PIX should log
> it.
>
>
>
> Michiel wrote:
>
>> Ok right now i am not able to change cables phisical, so later on the day
>> i
>> could change the things... i am able to connect to turn on the logging.
>>
>> Wich logging should i enable...? because i am mostly configuring it from
>> PDM... wich seems to be very simple and straight... though some things i
>> change through the console...
>>
>> Sincerely,
>> Michiel
>>
>> "James" <(E-Mail Removed)> schreef in bericht
>> news:(E-Mail Removed) ups.com...
>> > Strange....
>> >
>> > Have you turned on the PIX's logging? If so do a show log and paste
>> > the results here.
>> >
>> > Try "clear xlate" and see if that helps at all. Cisco recommend that
>> > you do a clear xlate after every change to the PIX config.
>> >
>> > Failing that if you let me know the Public IP I can run some tests from
>> > here.
>> >
>> > James
>> >
>> > Michiel wrote:
>> >
>> >> I forgot to tell something very important in the situation...
>> >>
>> >> I said that no traffic is comming through nat at the server... only 1
>> >> thing
>> >> is working good VPN... VPN is no problem... i forgot this because
>> >> another
>> >> server was already connected through VPN without me testing it,
>> >> because
>> >> the
>> >> other things like WEB SMTP etc. were not working...
>> >>
>> >> That is also the reason why i still have the feeling the problem
>> >> should
>> >> be
>> >> in the PIX...
>> >>
>> >> Anyone knows a logic explenation for this...? ...
>> >>
>> >> Sincerely,
>> >> Michiel
>> >>
>> >>
>> >> "James" <(E-Mail Removed)> schreef in bericht
>> >> news:(E-Mail Removed) oups.com...
>> >> > Can you connect a hub or switch between the Zyxel and PIX and use
>> >> > Ethereal or similar to see if traffic is even arriving at the PIX?
>> >> > If
>> >> > you use a switch remember that you will have to use the Span / Port
>> >> > Mirror feature.
>> >> >
>> >> > Alternatively, the PIX has some sort of packet capture feature which
>> >> > can be used:-
>> >> >
>> >> > http://www.cisco.com/en/US/products/...html#wp1038055
>> >> >
>> >> > I haven't tried it though.
>> >> >
>> >> > Also enable logging to the PIX's internal buffer, you may get a
>> >> > message
>> >> > indicating the problem.
>> >> >
>> >> > James
>> >> >
>> >> > Michiel wrote:
>> >> >> Yes i understand you, that is what i have done... so you are sure
>> >> >> that
>> >> >> the
>> >> >> PIX is configured correctly...? Because then i really have to get
>> >> >> in
>> >> >> hard
>> >> >> discussion with Valadis/Zyxel Netherlands, because of the not good
>> >> >> working
>> >> >> DMZ (NAT) function in combination of an PIX... because the strange
>> >> >> thing
>> >> >> is
>> >> >> here, that when i have an cable router in the network instead of
>> >> >> the
>> >> >> PIX
>> >> >> then it is working good... so my logic was it is the PIX not
>> >> >> functioning
>> >> >> good.
>> >> >>
>> >> >> I will post again when i have more info... wich will probably later
>> >> >> on
>> >> >> the
>> >> >> day... ...
>> >> >>
>> >> >> Thanks for your time!
>> >> >>
>> >> >> Suncerely,
>> >> >> Michiel
>> >> >>
>> >> >>
>> >> >> "James" <(E-Mail Removed)> schreef in bericht
>> >> >> news:(E-Mail Removed) ups.com...
>> >> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
>> >> >> > >DMZ
>> >> >> > >host
>> >> >> >>entered to forward all ports to the WAN of the PIX.. This is what
>> >> >> >>you
>> >> >> >>mean
>> >> >> >>right...?
>> >> >> >
>> >> >> > I don't know the Zyxel device at all however if it was a Cisco
>> >> >> > device I
>> >> >> > would NAT the Public IP to the PIX's Outside Interface IP.
>> >> >> >
>> >> >
>> >

>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 4) Michiel Cisco 0 08-25-2006 01:17 AM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 2) Michiel Cisco 2 08-22-2006 08:46 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT Michiel Cisco 4 08-22-2006 12:26 PM
Upgrading Firewall Version and PDM on PIX 506E (newbie user) jaisol Cisco 1 05-05-2005 02:33 AM
PIX 506e - Can't start PDM after change old version Ms ping Cisco 1 07-08-2003 04:04 PM



Advertisments