PIX NAT issue

Discussion in 'Cisco' started by fnu-10a4, Jan 5, 2005.

  1. fnu-10a4

    fnu-10a4 Guest

    Hello,

    I need help on this.

    I've got a PIX 525 for testing. One of the interface leads to the
    Internet, all the others are from the private ip space.

    From a host located behing "internal1", I try to ping the ip of
    www.openbsd.org and it does not get through. The access list applied
    on the interfaces is permit icmp any any.

    Can anybody tell me why show xlate does not show private ip being
    nated to the external IP of the firewall?

    How do I make sure all the private networks I have will be hide-nated
    using the ip address of the external interface?

    Thank you very much,

    /alain

    pix(config)# sh nat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (internal1) 1 0.0.0.0 0.0.0.0 0 0
    nat (internal3) 1 0.0.0.0 0.0.0.0 0 0
    nat (internal2) 1 0.0.0.0 0.0.0.0 0 0

    pix(config)# sh global
    global (external) 1 interface

    pix(config)# sh static
    static (inside,internal1) 192.168.11.0 192.168.11.0 netmask
    255.255.255.192 0 0
    static (inside,internal2) 192.168.11.0 192.168.11.0 netmask
    255.255.255.192 0 0
    static (inside,internal3) 192.168.11.0 192.168.11.0 netmask
    255.255.255.192 0 0
    static (inside,external) 192.168.11.0 192.168.11.0 netmask
    255.255.255.192 0 0
    static (internal3,internal2) 192.168.11.96 192.168.11.96 netmask
    255.255.255.192 0 0
    static (internal3,internal1) 192.168.11.96 192.168.11.96 netmask
    255.255.255.192 0 0
    static (internal3,external) 192.168.11.96 192.168.11.96 netmask
    255.255.255.192 0 0
    static (internal1,internal2) 192.168.11.32 192.168.11.32 netmask
    255.255.255.192 0 0
    static (internal2,external) 192.168.11.128 192.168.11.128 netmask
    255.255.255.192 0 0
    static (internal1,external) 192.168.11.32 192.168.11.32 netmask
    255.255.255.192 0 0

    pix(config)# sh int
    interface gb-ethernet0 "external" is up, line protocol is up
    Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.8339
    IP address 112.98.128.39, subnet mask 255.255.255.240
    MTU 1500 bytes, BW 1 Gbit full duplex
    20856 packets input, 1339710 bytes, 0 no buffer
    Received 7613 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
    16490 packets output, 1297670 bytes, 0 underruns
    input queue (curr/max blocks): hardware (0/2) software (0/0)
    output queue (curr/max blocks): hardware (0/2) software (0/0)
    interface gb-ethernet1 "inside" is up, line protocol is up
    Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.8338
    IP address 192.168.11.30, subnet mask 255.255.255.192
    MTU 1500 bytes, BW 1 Gbit full duplex
    15410 packets input, 993222 bytes, 0 no buffer
    Received 3169 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
    12263 packets output, 787918 bytes, 0 underruns
    input queue (curr/max blocks): hardware (0/3) software (0/0)
    output queue (curr/max blocks): hardware (0/2) software (0/0)
    interface gb-ethernet2 "internal1" is up, line protocol is up
    Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.835f
    IP address 192.168.11.62, subnet mask 255.255.255.192
    MTU 1500 bytes, BW 1 Gbit full duplex
    208838 packets input, 13843553 bytes, 0 no buffer
    Received 1323 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
    189352 packets output, 12119786 bytes, 0 underruns
    input queue (curr/max blocks): hardware (0/5) software (0/0)
    output queue (curr/max blocks): hardware (0/2) software (0/0)
    interface gb-ethernet3 "sync" is up, line protocol is up
    Hardware is i82543 rev02 gigabit ethernet, address is 000e.0c5f.72fb
    IP address 192.168.11.253, subnet mask 255.255.255.252
    MTU 1500 bytes, BW 1 Gbit full duplex
    35600 packets input, 3815082 bytes, 0 no buffer
    Received 3 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
    35628 packets output, 3827128 bytes, 0 underruns
    input queue (curr/max blocks): hardware (0/2) software (0/0)
    output queue (curr/max blocks): hardware (0/2) software (0/0)
    interface ethernet0 "internal3" is up, line protocol is up
    Hardware is i82559 ethernet, address is 000e.0c5f.cee8
    IP address 192.168.11.126, subnet mask 255.255.255.192
    MTU 1500 bytes, BW 100000 Kbit full duplex
    11704 packets input, 732992 bytes, 0 no buffer
    Received 1 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    11718 packets output, 733732 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software
    (0/2)
    output queue (curr/max blocks): hardware (0/9) software (0/1)
    interface ethernet1 "internal2" is up, line protocol is up
    Hardware is i82559 ethernet, address is 000e.0c5f.cdd1
    IP address 192.168.11.158, subnet mask 255.255.255.192
    MTU 1500 bytes, BW 100000 Kbit full duplex
    26370 packets input, 1925520 bytes, 0 no buffer
    Received 577 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    13152 packets output, 820000 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software
    (0/2)
    output queue (curr/max blocks): hardware (0/9) software (0/1)
    pix(config)#
     
    fnu-10a4, Jan 5, 2005
    #1
    1. Advertising

  2. fnu-10a4

    rave Guest

    because of this statement:
    static (internal1,external) 192.168.11.32 192.168.11.32 netmask
    255.255.255.192 0 0

    static takes precedence of nat and global commands.
    it should be the case with every system going through pix.
     
    rave, Jan 5, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BigHaig

    PIX Issue with NAT

    BigHaig, Feb 4, 2004, in forum: Cisco
    Replies:
    7
    Views:
    500
    BigHaig
    Feb 5, 2004
  2. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,804
    Walter Roberson
    Aug 13, 2004
  3. Allan J. Wilson

    PIX VPN & NAT issue

    Allan J. Wilson, Aug 31, 2004, in forum: Cisco
    Replies:
    1
    Views:
    554
    Dominic
    Sep 21, 2004
  4. Jose
    Replies:
    3
    Views:
    1,951
  5. Matthew Melbourne
    Replies:
    2
    Views:
    7,354
    Matthew Melbourne
    Feb 12, 2005
Loading...

Share This Page