Cisco Pix 525 - Static Nat not working to internal IP

Discussion in 'Hardware' started by kylebelz, Dec 20, 2010.

  1. kylebelz

    kylebelz

    Joined:
    Dec 20, 2010
    Messages:
    4
    I just posted this in General and I believe it should have been posted here.

    Sorry about that

    again any help would be appreciated

    Thanks!

    Hi All

    I am new to this discussion forum. Not sure if I am in the right place for my question but I will give this a shot.

    I've recently installed a PIX 525 with 8.0 (4)

    I have set up all my access lists and routes and Nat like I have done in the past but for some reason I can not ping or get any traffic through to one of my internal IP's

    Pix is at my local NOC and then my servers are at my remote office.

    PIX internal is 10.0.1.2, Managed router at NOC 10.0.1.1
    remote office 192.168.2.0 adtran router 192.168.2.1

    as you can see from my config I have everything in place but when I do a ping from the outside world I get
    icmp echo request untranslating outside.x.x.x to inside.x.x.x

    I've had done everything I can think of. Can someone look at the config and tell me if there is any obvious issues?

    Thanks in advance
    Kyle


    : Saved
    : Written by enable_15 at 10:44:12.839 EST Mon Dec 20 2010
    !
    PIX Version 8.0(4)
    !
    hostname CSIpixG4
    domain-name x.local
    enable password tCesJLFl4nZG7Vsm encrypted
    passwd 891Oy23Vg19EaLeL encrypted
    names
    name 172.16.100.0 VPNSub
    name 192.168.2.22 csinas description csinas
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address x.x.51.18 255.255.255.240
    ospf cost 10
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.0.1.2 255.255.255.0
    ospf cost 10
    !
    interface Ethernet2
    shutdown
    nameif intf3
    security-level 15
    no ip address
    ospf cost 10
    !
    interface Ethernet3
    shutdown
    nameif intf4
    security-level 20
    no ip address
    ospf cost 10
    !
    interface Ethernet4
    shutdown
    nameif intf5
    security-level 25
    no ip address
    ospf cost 10
    !
    interface GigabitEthernet0
    shutdown
    nameif intf2
    security-level 10
    no ip address
    ospf cost 10
    !
    boot system flash:/image.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 192.168.2.13
    name-server 192.168.2.20
    domain-name csi.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_outbound_nat0_acl extended permit ip any any
    access-list inside_outbound_nat0_acl extended permit icmp any any
    access-list outside_access_in extended permit icmp any any echo-reply log errors
    access-list outside_access_in extended permit ip VPNSub 255.255.255.0 any
    access-list outside_access_in extended permit icmp VPNSub 255.255.255.0 any
    access-list outside_access_in extended permit tcp any host x.x.51.19 eq ftp log errors
    access-list outside_access_in extended permit tcp any host x.x.51.19 eq www log errors
    access-list outside_access_in extended permit icmp any any echo log errors
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any
    access-list inside_access_in extended permit tcp any any eq https
    access-list inside_access_in extended permit tcp any any eq ftp
    access-list inside_access_in extended permit tcp any any eq nntp
    access-list inside_access_in extended permit tcp any any eq smtp
    access-list inside_access_in extended permit tcp any any eq telnet
    access-list inside_access_in extended permit tcp any any eq ssh
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any echo-reply
    access-list inside_access_in extended permit tcp any any eq www
    access-list inside_nat0_outbound extended permit ip any VPNSub 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any host csinas
    access-list inside_nat0_outbound extended permit icmp any host csinas log debugging
    access-list G4pixCSIspACL standard permit host 192.168.0.0
    access-list G4pixCSIspACL standard permit host 10.0.1.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit x.x.51.16 255.255.255.240
    access-list 80 extended permit ip any VPNSub 255.255.255.0
    access-list 80 extended permit icmp any host csinas
    access-list 200 extended permit icmp any any echo-reply
    access-list 200 extended permit icmp any any
    access-list 200 extended permit tcp any host x.x.51.19 eq ftp
    access-list 200 extended permit tcp any any eq ftp
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    logging class auth console emergencies
    mtu outside 1500
    mtu inside 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    mtu intf2 1500
    ip local pool VPN-IP-POOL 172.16.100.1-172.16.100.50 mask 255.255.255.0
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image flash:/pdm
    asdm location VPNSub 255.255.255.0 inside
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) x.x.51.19 csinas netmask 255.255.255.255
    static (inside,outside) x.x.51.21 192.168.2.19 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 x.x.51.17 1
    route inside 192.168.1.0 255.255.255.0 10.0.1.1 1
    route inside 192.168.2.0 255.255.255.0 10.0.1.1 1
    route inside 192.168.3.0 255.255.255.0 10.0.1.1 1
    route inside 192.168.4.0 255.255.255.0 10.0.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    network-acl inside_access_in
    network-acl 80
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map cisco 4 set security-association lifetime seconds 28800
    crypto dynamic-map cisco 4 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map partner-map 20 set security-association lifetime seconds 28800
    crypto map partner-map 20 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet 192.0.0.0 255.0.0.0 inside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet timeout 30
    ssh timeout 5
    ssh version 1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.13
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.13
    ip-comp enable
    pfs enable
    ipsec-udp enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value G4pixCSIspACL
    group-policy G4pixCSIvpn internal
    group-policy G4pixCSIvpn attributes
    dns-server value 192.168.2.13 192.168.2.20
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value G4pixCSIspACL
    default-domain value CSI
    username admcna password 2PmyRhKDooobsfLN encrypted
    username kbelz password jYb./qhqBZJqLT44 encrypted privilege 0
    username kbelz attributes
    vpn-group-policy G4pixCSIvpn
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN-IP-POOL
    authorization-server-group LOCAL
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key cisco123
    radius-sdi-xauth
    tunnel-group G4pixCSIvpn type remote-access
    tunnel-group G4pixCSIvpn general-attributes
    address-pool VPN-IP-POOL
    tunnel-group G4pixCSIvpn ipsec-attributes
    pre-shared-key Ye3ll65$z
    !
    class-map inspection_default1
    match default-inspection-traffic
    class-map inspection_default
    !
    !
    policy-map global_policy
    class inspection_default1
    inspect icmp error
    inspect icmp
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:9a05ab798024d417c51a8a4e5a95be66
    : end
     
    kylebelz, Dec 20, 2010
    #1
    1. Advertising

  2. kylebelz

    2k05gt

    Joined:
    Dec 21, 2010
    Messages:
    8
    Review the attached files you have some errors in the config.
    I seporated the ACL's in a Excel CSV file this will give you a better look at whats going on.

    I will look it over more to see if I can spot something
     

    Attached Files:

    2k05gt, Dec 21, 2010
    #2
    1. Advertising

  3. kylebelz

    kylebelz

    Joined:
    Dec 20, 2010
    Messages:
    4
    Thanks for your reply

    it ended up being what I had a feeling it was. My telco had the wrong default route in at my sites where I was trying to nat to.

    Now that that is working I am working on getting the VPN clients to work. they can connect but no traffic passes. I'm looking at my ACL's again.

    Thanks

    Kyle
     
    kylebelz, Dec 21, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JoelSeph
    Replies:
    9
    Views:
    6,722
    JoelSeph
    Jan 23, 2006
  2. Bob
    Replies:
    0
    Views:
    548
  3. dcpearso
    Replies:
    3
    Views:
    1,949
    dcpearso
    Mar 23, 2008
  4. kylebelz

    Cisco Pix 525 - Static Nat not working to internal IP

    kylebelz, Dec 20, 2010, in forum: General Computer Support
    Replies:
    0
    Views:
    1,740
    kylebelz
    Dec 20, 2010
  5. kylebelz
    Replies:
    0
    Views:
    829
    kylebelz
    Dec 20, 2010
Loading...

Share This Page