Cannot ping, http, telnet nada to inside static nat'd addresses

Discussion in 'Cisco' started by rnorred, Apr 18, 2005.

  1. rnorred

    rnorred Guest

    First time setup of PIX flavor. Have corp and two remotes using VPN.
    Everything is working great except from my inside network 172.17.2.X I
    cannot access any of my inside static nat'd address like I used to with
    the IOS 'ip nat inside source static' cmd.

    when trying to ping i see this:

    <166>Apr 18 2005 16:09:05 172.17.2.1 : %PIX-6-609001: Built local-host
    inside:172.17.2.210

    <166>Apr 18 2005 16:09:05 172.17.2.1 : %PIX-6-305011: Built dynamic
    ICMP translation from inside:172.17.2.210/512 to
    outside:XX.XX.145.188/31

    The PAT Translation and thats it.....

    Her is my config, any help appreciated.

    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password scribblyscrabbly encrypted
    passwd scribblyscrabbly encrypted
    hostname CORP
    domain-name rcc.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.3.0 RE_Inside
    name 172.17.4.0 RMW_Inside
    name XX.XXX.206.192 RMW_Outside
    name XXX.XXX.23.184 RE_Outside
    name XX.XX.145.181 mercury
    name 172.17.2.245 silicon
    name 172.17.2.241 cobalt
    name XX.XX.145.182 cobalt_outside
    object-group network Remote_Inside_Addrs
    network-object RE_Inside 255.255.255.0
    network-object RMW_Inside 255.255.255.0
    access-list 100 permit tcp any any eq domain log
    access-list 100 permit udp any any eq domain log
    access-list 100 permit gre host XXX.XXX217.34 host XX.XX.145.178 log
    access-list 100 permit gre host XX.XX.206.226 host XX.XX.145.178 log
    access-list 100 permit tcp any host cobalt_outside eq pptp log
    access-list 100 permit tcp any host mercury eq www log
    access-list 100 permit tcp any host XX.XX.145.185 eq www log
    access-list 100 permit tcp any host XX.XX.145.183 eq www log
    access-list 100 permit tcp any host XX.XX.145.184 eq www log
    access-list 100 permit tcp any host mercury eq 800 log
    access-list 100 permit tcp any host XX.XX.145.184 eq https log
    access-list 100 permit tcp any host mercury eq https log
    access-list 100 permit tcp any host mercury eq ftp-data log
    access-list 100 permit tcp any host mercury eq ftp log
    access-list 100 permit tcp any host mercury eq smtp log
    access-list 100 permit tcp any host mercury eq pop3 log
    access-list 100 permit tcp any host XX.XX.145.184 eq citrix-ica log
    access-list 100 permit udp any host XX.XX.145.184 eq 1604 log
    access-list 100 permit tcp any host XX.XX.145.185 eq citrix-ica log
    access-list 100 permit udp any host XX.XX.145.185 eq 1604 log
    access-list 100 permit tcp any host XX.XX.145.183 eq citrix-ica log
    access-list 100 permit udp any host XX.XX.145.183 eq 1604 log
    access-list 100 permit udp any host mercury gt 1023 log
    access-list 100 permit udp any host cobalt_outside gt 1023 log
    access-list 100 permit udp any host XX.XX.145.183 gt 1023 log
    access-list 100 permit udp any host XX.XX.145.184 gt 1023 log
    access-list 100 permit udp any host XX.XX.145.185 gt 1023 log
    access-list 100 permit tcp any host XX.XX.145.184 eq 3389 log
    access-list 100 permit tcp any host mercury eq 3389 log
    access-list 100 permit tcp any host cobalt_outside eq 3389 log
    access-list 100 permit tcp any host XX.XX.145.185 eq 3389 log
    access-list 100 permit tcp any host XX.XX.145.183 eq 3389 log
    access-list 100 permit tcp host XX.XX.145.180 any eq 3389 log
    access-list 100 permit tcp any host XX.XX.145.184 eq 631 log
    access-list 100 permit tcp any host XX.XX.145.180 eq https log
    access-list 100 permit tcp any eq https any
    access-list 100 permit tcp any host XX.XX.145.183 eq ftp-data log
    access-list 100 permit tcp any host XX.XX.145.183 eq ftp log
    access-list 100 permit icmp any any echo-reply log
    access-list 100 permit icmp any any time-exceeded log
    access-list 100 permit icmp any any unreachable log
    access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0
    RMW_Inside 255.255.255.0
    access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0
    RE_Inside 255.255.255.0
    access-list inside_nat0_outbound permit ip 172.17.2.0 255.255.255.0
    host XX.XX.145.183
    access-list outside_cryptomap_20 permit ip 172.17.2.0 255.255.255.0
    RE_Inside 255.255.255.0
    access-list outside_cryptomap_30 permit ip 172.17.2.0 255.255.255.0
    RMW_Inside 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 172.17.2.0 255.255.255.0
    object-group Remote_Inside_Addrs
    pager lines 24
    logging on
    logging timestamp
    logging trap debugging
    logging history informational
    logging device-id ipaddress inside
    logging host inside cobalt
    logging host inside 172.17.2.210 format emblem
    icmp permit host XX.XX.145.188 outside
    icmp permit host 172.17.2.210 outside
    icmp permit any echo-reply outside
    icmp permit 172.17.2.0 255.255.255.0 inside
    icmp permit host XX.XX.145.188 inside
    icmp permit host 172.17.2.210 inside
    mtu outside 1500
    mtu inside 1500
    ip address outside XX.XX.145.178 255.255.255.240
    ip address inside 172.17.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location mercury 255.255.255.255 outside
    pdm location cobalt_outside 255.255.255.255 outside
    pdm group Remote_Inside_Addrs outside
    pdm logging informational 300
    pdm history enable
    arp timeout 14400
    global (outside) 1 XX.XX.145.188
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 0 mercury 255.255.255.255 0 0
    nat (inside) 0 cobalt_outside 255.255.255.255 0 0
    nat (inside) 0 silicon 255.255.255.255 0 0
    nat (inside) 1 172.17.2.0 255.255.255.0 0 0
    static (inside,outside) mercury 172.17.2.240 netmask 255.255.255.255 0
    0
    static (inside,outside) XX.XX.145.184 172.17.2.221 netmask
    255.255.255.255 0 0
    static (inside,outside) XX.XX.145.185 172.17.2.247 netmask
    255.255.255.255 0 0
    static (inside,outside) XX.XX.145.183 172.17.2.244 netmask
    255.255.255.255 0 0
    static (inside,outside) XX.XX.145.180 172.17.2.3 netmask
    255.255.255.255 0 0
    static (inside,outside) cobalt_outside cobalt netmask 255.255.255.255 0
    0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 XX.XX.145.177 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    http server enable
    http 172.17.2.0 255.255.255.0 inside
    snmp-server host inside 172.17.2.1
    snmp-server host inside 172.17.2.210
    snmp-server host inside cobalt
    snmp-server location Arl.
    snmp-server contact rnorred
    snmp-server community look
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer XXX.XXX.23.187
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set peer XX.XXX.206.194
    crypto map outside_map 30 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address XXX.XXX.23.187 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address XX.XXX.206.194 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet XX.XX.145.188 255.255.255.255 outside
    telnet 172.17.2.3 255.255.255.255 inside
    telnet 172.17.2.111 255.255.255.255 inside
    telnet 172.17.2.210 255.255.255.255 inside
    telnet timeout 5
    ssh XXX.XXX.108.197 255.255.255.255 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    username administrator password scribblyscrabbly encrypted privilege 15
    username rnorred password scribblyscrabbly encrypted privilege 15
    terminal width 80
    Cryptochecksum:scribblyscrabbly
    : end
    [OK]
    rnorred, Apr 18, 2005
    #1
    1. Advertising

  2. rnorred

    Nick Guest

    Not an answer but before I moved to a GRE VPN, I use to experience the
    same thing on a router based IPSEC VPN.

    In our case I belive it was because the only things NAT'd had to come
    from the INSIDE of the local network.
    The icmp packet (or telnet, etc) came from your local network, hits the
    local router and crosses the VPN to the remote router. The remote
    router attempts to respond to the request but since the packet is
    originating from within the router and used the external (closest to
    destination) interface, it never hits the VPN tunnel as the interesting
    traffic was set up on the inside interface.

    I wonder if that made sense...

    Regardless, until we moved to a GRE VPN, we had to use SSH to the
    outside interface to get into our routers remotely.
    Nick, Apr 18, 2005
    #2
    1. Advertising

  3. rnorred

    rnorred Guest

    Let me claify a bit. I am on network 172.17.2.0/24 this is where the
    PIX is homed that has the static nat entries. when I do a ping to these
    addresses should it follow this
    inside---(translation)--PIX--outside---router---outside---(same
    PIX)---translation to static nat---inside.

    i know there are some rules about packets not wanting to enter an
    interface it just left so I am not sure this will work at all as
    configured.

    any ideas???
    rnorred, Apr 18, 2005
    #3
  4. This will not work because the PIX will NOT forward a packet out the same
    interface it came in from.

    If you have the dns-server on the outside you can use outside nat or the
    alias command to doctor the dns replies.

    Regards,

    /TC

    "rnorred" <> skrev i meddelandet
    news:...
    > Let me claify a bit. I am on network 172.17.2.0/24 this is where the
    > PIX is homed that has the static nat entries. when I do a ping to these
    > addresses should it follow this
    > inside---(translation)--PIX--outside---router---outside---(same
    > PIX)---translation to static nat---inside.
    >
    > i know there are some rules about packets not wanting to enter an
    > interface it just left so I am not sure this will work at all as
    > configured.
    >
    > any ideas???
    >
    Tony \Swede\ Clifton, Apr 18, 2005
    #4
  5. In article <>,
    rnorred <> wrote:
    :First time setup of PIX flavor. Have corp and two remotes using VPN.
    :Everything is working great except from my inside network 172.17.2.X I
    :cannot access any of my inside static nat'd address like I used to with
    :the IOS 'ip nat inside source static' cmd.

    You can't do that with PIX before PIX 7.

    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
    Walter Roberson, Apr 18, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R.B.P.
    Replies:
    2
    Views:
    506
    Barry Margolin
    May 1, 2004
  2. Replies:
    2
    Views:
    1,444
  3. Peter H

    No post.... nada

    Peter H, Dec 26, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    464
  4. ATM
    Replies:
    2
    Views:
    5,964
    Stephen
    Nov 13, 2008
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,052
    milan_9211
    Jan 10, 2011
Loading...

Share This Page