Nat/Pat-problem with pix 501

Discussion in 'Cisco' started by Martin Edwards, Jul 22, 2004.

  1. Hi

    I have a pix 501 with an outside interface x.x.x.69 and a inside
    x.x.x.113, and the gateway out is x.x.x.65

    The route has been set up with the following statements

    route inside x.x.x.112 255.255.255.248 x.x.x.113
    route outside x.x.x.64 255.255.255.248 x.x.x.69
    route outside 0.0.0.0 0.0.0.0 x.x.x.65

    I have set the global til use the interface

    global (outside) 1 interface

    and the nat

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    The problem is that I can't connect to any outside addresses from the
    inside network. I can however ping both the inside and the outside
    networks from the pix itself.

    Please help

    /Martin
    Martin Edwards, Jul 22, 2004
    #1
    1. Advertising

  2. Martin Edwards

    paul blitz Guest

    You need to define the IP address range to use... here's our's:

    global (outside) 1 194.xxx.xxx.101-194.216.203.120
    global (outside) 1 194.xxx.xxx.121

    The first sets up 20 NAT addresses, the second sets up a PAT address for
    when the NAT pool runs out.

    The "1" is the "nat id", and is the same as the "1" in your "nat (inside) 1
    0.0.0.0 0.0.0.0 0 0" (which basically says to apply NAT to ANY address
    coming in on the "inside" interface), and is the thing that hooks the two
    together.

    Does that help?


    Paul Blitz



    "Martin Edwards" <> wrote in message
    news:Xns952E7997D2596whome@82.211.192.157...
    > Hi
    >
    > I have a pix 501 with an outside interface x.x.x.69 and a inside
    > x.x.x.113, and the gateway out is x.x.x.65
    >
    > The route has been set up with the following statements
    >
    > route inside x.x.x.112 255.255.255.248 x.x.x.113
    > route outside x.x.x.64 255.255.255.248 x.x.x.69
    > route outside 0.0.0.0 0.0.0.0 x.x.x.65
    >
    > I have set the global til use the interface
    >
    > global (outside) 1 interface
    >
    > and the nat
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > The problem is that I can't connect to any outside addresses from the
    > inside network. I can however ping both the inside and the outside
    > networks from the pix itself.
    >
    > Please help
    >
    > /Martin
    paul blitz, Jul 22, 2004
    #2
    1. Advertising

  3. Martin Edwards

    PES Guest

    Your nat configuration is correct. I would remove the second route
    statement. I don't know what the first route statement is for. The next
    hop ip is in the ip range, so I think this is also useless. Also, be aware
    that you can probably not send pings through the pix by default (the echo
    replies usually won't come back through) and check any outbound acl's.


    "Martin Edwards" <> wrote in message
    news:Xns952E7997D2596whome@82.211.192.157...
    > Hi
    >
    > I have a pix 501 with an outside interface x.x.x.69 and a inside
    > x.x.x.113, and the gateway out is x.x.x.65
    >
    > The route has been set up with the following statements
    >
    > route inside x.x.x.112 255.255.255.248 x.x.x.113
    > route outside x.x.x.64 255.255.255.248 x.x.x.69
    > route outside 0.0.0.0 0.0.0.0 x.x.x.65
    >
    > I have set the global til use the interface
    >
    > global (outside) 1 interface
    >
    > and the nat
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > The problem is that I can't connect to any outside addresses from the
    > inside network. I can however ping both the inside and the outside
    > networks from the pix itself.
    >
    > Please help
    >
    > /Martin
    PES, Jul 22, 2004
    #3
  4. Hi, thanks for the quick reply - I tried changing the global to use
    another ip than the interface, with no luck. The second route entry is
    the one that the pix has made itself to be able to connect to the network
    that the pix itself is connected to. I have made an test webserver on the
    outside net with an ip x.x.x.66 and I can't connect to this, not with
    telnet or i-explorer. The x.x.x.y network is 130.225.90.y is this makes
    any difference.

    /Martin


    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    news:40ff93e7$:

    > Your nat configuration is correct. I would remove the second route
    > statement. I don't know what the first route statement is for. The
    > next hop ip is in the ip range, so I think this is also useless.
    > Also, be aware that you can probably not send pings through the pix by
    > default (the echo replies usually won't come back through) and check
    > any outbound acl's.
    >
    >
    > "Martin Edwards" <> wrote in message
    > news:Xns952E7997D2596whome@82.211.192.157...
    >> Hi
    >>
    >> I have a pix 501 with an outside interface x.x.x.69 and a inside
    >> x.x.x.113, and the gateway out is x.x.x.65
    >>
    >> The route has been set up with the following statements
    >>
    >> route inside x.x.x.112 255.255.255.248 x.x.x.113
    >> route outside x.x.x.64 255.255.255.248 x.x.x.69
    >> route outside 0.0.0.0 0.0.0.0 x.x.x.65
    >>
    >> I have set the global til use the interface
    >>
    >> global (outside) 1 interface
    >>
    >> and the nat
    >>
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    Martin Edwards, Jul 22, 2004
    #4
  5. Martin Edwards

    mcaissie Guest

    >> I have a pix 501 with an outside interface x.x.x.69 and a inside
    >> x.x.x.113, and the gateway out is x.x.x.65 The x.x.x.y network is

    130.225.90.y

    What netmask are you using ? Looks like your inside and outside are part of
    the same subnet.

    Remove the 2 first route statement , they make no sense and they my cause
    the problem

    Try pinging the gateway from the outside
    ping outside x.x.x.65

    Try pinging a valid address on the internet (wich answers to ping)
    ping outside 164.109.59.132




    "Martin Edwards" <> wrote in message
    news:Xns952E8143942ECwhome@82.211.192.157...
    > Hi, thanks for the quick reply - I tried changing the global to use
    > another ip than the interface, with no luck. The second route entry is
    > the one that the pix has made itself to be able to connect to the network
    > that the pix itself is connected to. I have made an test webserver on the
    > outside net with an ip x.x.x.66 and I can't connect to this, not with
    > telnet or i-explorer. The x.x.x.y network is 130.225.90.y is this makes
    > any difference.
    >
    > /Martin
    >
    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > news:40ff93e7$:
    >
    > > Your nat configuration is correct. I would remove the second route
    > > statement. I don't know what the first route statement is for. The
    > > next hop ip is in the ip range, so I think this is also useless.
    > > Also, be aware that you can probably not send pings through the pix by
    > > default (the echo replies usually won't come back through) and check
    > > any outbound acl's.
    > >
    > >
    > > "Martin Edwards" <> wrote in message
    > > news:Xns952E7997D2596whome@82.211.192.157...
    > >> Hi
    > >>
    > >> I have a pix 501 with an outside interface x.x.x.69 and a inside
    > >> x.x.x.113, and the gateway out is x.x.x.65
    > >>
    > >> The route has been set up with the following statements
    > >>
    > >> route inside x.x.x.112 255.255.255.248 x.x.x.113
    > >> route outside x.x.x.64 255.255.255.248 x.x.x.69
    > >> route outside 0.0.0.0 0.0.0.0 x.x.x.65
    > >>
    > >> I have set the global til use the interface
    > >>
    > >> global (outside) 1 interface
    > >>
    > >> and the nat
    > >>
    > >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    >
    mcaissie, Jul 22, 2004
    #5
  6. In article <Xns952E7997D2596whome@82.211.192.157>,
    Martin Edwards <> wrote:
    :I have a pix 501 with an outside interface x.x.x.69 and a inside
    :x.x.x.113, and the gateway out is x.x.x.65

    :The route has been set up with the following statements

    : route inside x.x.x.112 255.255.255.248 x.x.x.113
    : route outside x.x.x.64 255.255.255.248 x.x.x.69
    : route outside 0.0.0.0 0.0.0.0 x.x.x.65

    Those look fine so far. Ignore the people saying that they might be on
    the same subnet -- .112 +/- 8 addresses is never going to be in the
    same subnet as .64 +/- 8


    :I have set the global til use the interface
    : global (outside) 1 interface
    :and the nat
    : nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    That looks fine too.


    :The problem is that I can't connect to any outside addresses from the
    :inside network. I can however ping both the inside and the outside
    :networks from the pix itself.

    x.x.x.112 255.255.255.248 is not the factory default inside address, so
    you have changed something about the configuration. Given your symptoms
    it seems most likely that you have an access-list that you have applied
    to the inside interface using the command
    access-group XXX in interface inside
    That access list XXX would control what you would be allowed to send
    to the outside, and anything not listed as permitted would be denied.

    If you do not have an access-group applied to the inside at all, I
    would suggest commanding clear xlate from configuration mode.
    --
    csh is bad drugs.
    Walter Roberson, Jul 22, 2004
    #6
  7. Martin Edwards

    mcaissie Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cdon2i$2v0$...
    > In article <Xns952E7997D2596whome@82.211.192.157>,
    > Martin Edwards <> wrote:
    > :I have a pix 501 with an outside interface x.x.x.69 and a inside
    > :x.x.x.113, and the gateway out is x.x.x.65
    >
    > :The route has been set up with the following statements
    >
    > : route inside x.x.x.112 255.255.255.248 x.x.x.113
    > : route outside x.x.x.64 255.255.255.248 x.x.x.69
    > : route outside 0.0.0.0 0.0.0.0 x.x.x.65
    >
    > Those look fine so far. Ignore the people saying that they might be on
    > the same subnet -- .112 +/- 8 addresses is never going to be in the
    > same subnet as .64 +/- 8


    Walter,
    Since x.x.x.113 is the inside interface address , can you explain to me
    the reason for the PIX to route a subnet to itself.
    Same thing for the second statement, x.x.x.69 is the IP of the outside
    interface

    Michel
    mcaissie, Jul 22, 2004
    #7
  8. In article <zZSLc.107974$eO.41052@edtnps89>,
    mcaissie <> wrote:
    |"Walter Roberson" <-cnrc.gc.ca> wrote in message
    |news:cdon2i$2v0$...
    |> In article <Xns952E7997D2596whome@82.211.192.157>,
    |> Martin Edwards <> wrote:
    |> : route inside x.x.x.112 255.255.255.248 x.x.x.113
    |> : route outside x.x.x.64 255.255.255.248 x.x.x.69
    |> : route outside 0.0.0.0 0.0.0.0 x.x.x.65

    |> Those look fine so far. Ignore the people saying that they might be on
    |> the same subnet -- .112 +/- 8 addresses is never going to be in the
    |> same subnet as .64 +/- 8


    |Since x.x.x.113 is the inside interface address , can you explain to me
    |the reason for the PIX to route a subnet to itself.
    |Same thing for the second statement, x.x.x.69 is the IP of the outside
    |interface

    It's automatic. Those are routes that would show up as 'CONNECT static'
    via "show route". It's just saying that hosts in x.x.x.112/29 are expected
    to be directly reachable from the pix inside interface without any
    further routing. If you needed further routing to get to hosts in that
    subnet, then pretty much by definition, those hosts would not be in
    the same subnet after-all.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
    Walter Roberson, Jul 22, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,064
  2. Jordan Peterson
    Replies:
    1
    Views:
    575
    mcaissie
    Sep 17, 2004
  3. Replies:
    4
    Views:
    916
    Martin Bilgrav
    Feb 8, 2005
  4. BinSur
    Replies:
    4
    Views:
    5,760
    BinSur
    Jan 13, 2006
  5. Michiel
    Replies:
    4
    Views:
    4,614
    Michiel
    Aug 22, 2006
Loading...

Share This Page