«

Hello,

I need help on this.

I've got a PIX 525 for testing. One of the interface leads to the
Internet, all the others are from the private ip space.

From a host located behing "internal1", I try to ping the ip of
www.openbsd.org and it does not get through. The access list applied
on the interfaces is permit icmp any any.

Can anybody tell me why show xlate does not show private ip being
nated to the external IP of the firewall?

How do I make sure all the private networks I have will be hide-nated
using the ip address of the external interface?

Thank you very much,

/alain

pix(config)# sh nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (internal1) 1 0.0.0.0 0.0.0.0 0 0
nat (internal3) 1 0.0.0.0 0.0.0.0 0 0
nat (internal2) 1 0.0.0.0 0.0.0.0 0 0

pix(config)# sh global
global (external) 1 interface

pix(config)# sh static
static (inside,internal1) 192.168.11.0 192.168.11.0 netmask
255.255.255.192 0 0
static (inside,internal2) 192.168.11.0 192.168.11.0 netmask
255.255.255.192 0 0
static (inside,internal3) 192.168.11.0 192.168.11.0 netmask
255.255.255.192 0 0
static (inside,external) 192.168.11.0 192.168.11.0 netmask
255.255.255.192 0 0
static (internal3,internal2) 192.168.11.96 192.168.11.96 netmask
255.255.255.192 0 0
static (internal3,internal1) 192.168.11.96 192.168.11.96 netmask
255.255.255.192 0 0
static (internal3,external) 192.168.11.96 192.168.11.96 netmask
255.255.255.192 0 0
static (internal1,internal2) 192.168.11.32 192.168.11.32 netmask
255.255.255.192 0 0
static (internal2,external) 192.168.11.128 192.168.11.128 netmask
255.255.255.192 0 0
static (internal1,external) 192.168.11.32 192.168.11.32 netmask
255.255.255.192 0 0

pix(config)# sh int
interface gb-ethernet0 "external" is up, line protocol is up
Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.8339
IP address 112.98.128.39, subnet mask 255.255.255.240
MTU 1500 bytes, BW 1 Gbit full duplex
20856 packets input, 1339710 bytes, 0 no buffer
Received 7613 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
16490 packets output, 1297670 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/2) software (0/0)
output queue (curr/max blocks): hardware (0/2) software (0/0)
interface gb-ethernet1 "inside" is up, line protocol is up
Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.8338
IP address 192.168.11.30, subnet mask 255.255.255.192
MTU 1500 bytes, BW 1 Gbit full duplex
15410 packets input, 993222 bytes, 0 no buffer
Received 3169 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
12263 packets output, 787918 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/3) software (0/0)
output queue (curr/max blocks): hardware (0/2) software (0/0)
interface gb-ethernet2 "internal1" is up, line protocol is up
Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.835f
IP address 192.168.11.62, subnet mask 255.255.255.192
MTU 1500 bytes, BW 1 Gbit full duplex
208838 packets input, 13843553 bytes, 0 no buffer
Received 1323 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
189352 packets output, 12119786 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/5) software (0/0)
output queue (curr/max blocks): hardware (0/2) software (0/0)
interface gb-ethernet3 "sync" is up, line protocol is up
Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.72fb
IP address 192.168.11.253, subnet mask 255.255.255.252
MTU 1500 bytes, BW 1 Gbit full duplex
35600 packets input, 3815082 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
35628 packets output, 3827128 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/2) software (0/0)
output queue (curr/max blocks): hardware (0/2) software (0/0)
interface ethernet0 "internal3" is up, line protocol is up
Hardware is i82559 ethernet, address is 000e.0c5f.cee8
IP address 192.168.11.126, subnet mask 255.255.255.192
MTU 1500 bytes, BW 100000 Kbit full duplex
11704 packets input, 732992 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11718 packets output, 733732 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software
(0/2)
output queue (curr/max blocks): hardware (0/9) software (0/1)
interface ethernet1 "internal2" is up, line protocol is up
Hardware is i82559 ethernet, address is 000e.0c5f.cdd1
IP address 192.168.11.158, subnet mask 255.255.255.192
MTU 1500 bytes, BW 100000 Kbit full duplex
26370 packets input, 1925520 bytes, 0 no buffer
Received 577 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
13152 packets output, 820000 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software
(0/2)
output queue (curr/max blocks): hardware (0/9) software (0/1)
pix(config)#

because of this statement:
static (internal1,external) 192.168.11.32 192.168.11.32 netmask
255.255.255.192 0 0

static takes precedence of nat and global commands.
it should be the case with every system going through pix.