PIX NAT issue

Discussion in 'Cisco' started by nedtrilby@googlemail.com, Nov 16, 2011.

  1. Guest

    On my PIX v6.3 I have a trunk setup to 2 VLANs
    nameif vlan210 custsm security34
    nameif vlan350 monnet security35
    ip address custsm 192.168.200.250 255.255.255.0
    ip address monnet 192.168.89.250 255.255.255.0
    From a client PC on vlan350 I want to be able connect to a system on
    vlan210 and vice versa. I have set up NAT as follows:

    access-list NATMON permit ip 192.168.89.0 255.255.255.0 192.168.200.0
    255.255.255.0
    nat (INTTNET) 0 access-list 103
    global (custsm) 1 192.168.200.111

    On the debug I can see my PING requests from 192.168.89.249 to
    192.168.200.250 and it looks like it is using NAT address
    192.168.200.111, but I am not getting a reply. I think there may be
    something wrong with NATting or Access-lists but can't identify what
    it is...

    47: ICMP echo request (len 32 id 4 seq 6400) 192.168.89.249 >
    192.168.89.250

    48: ICMP echo reply (len 32 id 4 seq 6400) 192.168.89.250 >
    192.168.89.249

    49: ICMP echo request (len 32 id 4 seq 6656) 192.168.89.249 >
    192.168.89.250

    50: ICMP echo reply (len 32 id 4 seq 6656) 192.168.89.250 >
    192.168.89.249

    51: ICMP echo request (len 32 id 4 seq 6912) 192.168.89.249 >
    192.168.89.250

    52: ICMP echo reply (len 32 id 4 seq 6912) 192.168.89.250 >
    192.168.89.249

    53: ICMP echo request (len 32 id 4 seq 7168) 192.168.89.249 >
    192.168.89.250

    54: ICMP echo reply (len 32 id 4 seq 7168) 192.168.89.250 >
    192.168.89.249

    55: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=7424 length=40

    56: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/1

    57: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=7680 length=40

    58: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/1

    59: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=7936 length=40

    60: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/1

    61: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=8192 length=40

    62: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/1

    mypix-FW(config)# show xlate

    20 in use, 1520 most used

    PAT Global 99.199.19.43(17891) Local 10.0.0.177(43586)

    PAT Global 99.199.19.43(17890) Local 10.0.0.177(59226)

    PAT Global 99.199.19.43(17889) Local 10.0.0.153(2207)

    PAT Global 99.199.19.43(17892) Local 10.0.0.153(2219)

    mypix-FW(config)#

    mypix-FW(config)# 63: ICMP echo-request from monnet:192.168.89.249 to
    192.168.200.250 ID=1024 seq=8448 length=40

    64: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/2

    65: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=8704 length=40

    66: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/2

    67: ICMP echo-request from monnet:192.168.89.249 to 192.168.200.250
    ID=1024 seq=8960 length=40

    68: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/2

    show xlate

    21 in use, 1520 most used

    PAT Global 99.199.19.43(16780) Local 10.0.0.154(4137)

    PAT Global 99.199.19.43(16820) Local 10.0.0.154(4179)

    PAT Global 192.168.200.111(2) Local 192.168.89.249 ICMP id 1024

    PAT Global 99.199.19.43(5755) Local 10.0.0.109(2638)

    PAT Global 99.199.19.43(16255) Local 10.0.0.153(1306)

    PAT Global 99.199.19.43(14957) Local 10.0.0.145(49167)

    mypix-FW(config)# 69: ICMP echo-request from monnet:192.168.89.249 to
    192.168.200.250 ID=1024 seq=9216 length=40

    70: ICMP echo-request: translating monnet:192.168.89.249/1024 to
    custsm:192.168.200.111/2

    71: ICMP echo request (len 5 id 3 seq 1280) 10.0.0.153 > 10.0.0.254

    72: ICMP echo reply (len 5 id 3 seq 1280) 10.0.0.254 > 10.0.0.153

    73: ICMP echo request (len 32 id 9233 seq 0) 10.0.0.254 > 10.0.0.156

    74: ICMP echo request (len 32 id 9233 seq 1) 10.0.0.254 > 10.0.0.156

    75: ICMP echo reply (len 32 id 9233 seq 1) 10.0.0.156 > 10.0.0.254

    show run

    : Saved

    PIX Version 6.3(4)

    interface ethernet0 100full

    interface ethernet1 100full

    interface ethernet2 100full

    interface ethernet3 100full

    interface ethernet4 100full

    interface ethernet4 vlan22 physical

    interface ethernet4 vlan210 logical

    interface ethernet4 vlan350 logical

    interface ethernet5 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif ethernet2 mypixipt security10

    nameif ethernet3 mypixilo security20

    nameif ethernet4 mypixtrunk security30

    nameif ethernet5 INTTNET security10

    nameif vlan210 custsm security34

    nameif vlan350 monnet security35

    enable password LQj7EQ48chDRXWw8 encrypted

    passwd uJtjMb8oDnBAg3Sn encrypted

    hostname mypix-FW

    domain-name mypix.ie

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    name 172.30.1.199 T21

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0
    255.255.255.0

    access-list 101 permit ip 10.0.0.0 255.255.255.0 172.30.0.0
    255.255.0.0

    access-list 101 permit ip 172.30.0.0 255.255.0.0 10.0.0.0
    255.255.255.0

    access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.0.0
    255.255.255.0

    access-list 101 permit ip 172.30.0.0 255.255.0.0 172.30.0.0
    255.255.0.0

    access-list 101 permit ip 10.1.1.0 255.255.255.0 172.30.0.0
    255.255.0.0

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.10.8.0
    255.255.255.0

    access-list 101 permit ip 172.30.0.0 255.255.0.0 10.10.8.0
    255.255.255.0

    access-list 101 permit ip any host 172.30.1.191

    access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.4.0
    255.255.255.0

    access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.100.0
    255.255.255.0

    access-list 101 permit ip 192.168.89.0 255.255.255.0 10.10.10.0
    255.255.255.0

    access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.89.0
    255.255.255.0

    access-list 101 permit icmp any any echo-reply

    access-list 101 permit ip 192.168.200.0 255.255.255.0 172.30.0.0
    255.255.254.0

    access-list 101 permit ip 192.168.89.0 255.255.255.0 192.168.89.0
    255.255.255.0

    access-list OUTSIDE permit ip any any

    access-list OUTSIDE permit icmp any any

    access-list OUTSIDE permit icmp any any echo-reply

    access-list 103 permit ip 192.168.20.0 255.255.255.0 192.168.20.0
    255.255.255.0

    access-list NATMON permit ip 192.168.89.0 255.255.255.0 192.168.200.0
    255.255.255.0

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    mtu mypixipt 1500

    mtu mypixilo 1500

    mtu mypixtrunk 1500

    mtu INTTNET 1500

    ip address outside 99.199.19.43 255.255.255.192

    ip address inside 10.0.0.254 255.255.255.0

    ip address mypixipt 172.30.1.198 255.255.254.0

    ip address mypixilo 192.168.4.254 255.255.255.0

    no ip address mypixtrunk

    ip address INTTNET 192.168.20.254 255.255.255.0

    ip address custsm 192.168.200.250 255.255.255.0

    ip address monnet 192.168.89.250 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool mypixVPN2 10.10.8.1-10.10.8.10

    ip local pool mypixVPN3 172.30.1.145-172.30.1.149

    ip local pool mypixVPN1 192.168.4.90-192.168.4.95

    ip local pool mypixVPN4 192.168.100.90-192.168.100.95

    ip local pool mypixVPN5 192.168.20.145-192.168.20.149

    no failover


    global (outside) 1 interface

    global (custsm) 1 192.168.200.111

    nat (inside) 0 access-list 101

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    nat (mypixipt) 0 access-list 101

    nat (mypixilo) 0 access-list 101

    nat (mypixtrunk) 0 access-list 101

    nat (INTTNET) 0 access-list 103

    nat (monnet) 1 access-list NATMON 0 0

    access-group OUTSIDE in interface outside

    access-group OUTSIDE in interface mypixipt

    access-group OUTSIDE in interface mypixilo

    access-group OUTSIDE in interface mypixtrunk

    access-group 103 in interface INTTNET

    access-group OUTSIDE in interface custsm

    access-group OUTSIDE in interface monnet

    route outside 0.0.0.0 0.0.0.0 99.199.19.1 1

    route mypixipt 172.30.200.0 255.255.255.0 172.30.1.254 1

    route custsm 192.168.1.0 255.255.255.0 192.168.200.254 1

    timeout xlate 3:00:00

    : end
    , Nov 16, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BigHaig

    PIX Issue with NAT

    BigHaig, Feb 4, 2004, in forum: Cisco
    Replies:
    7
    Views:
    497
    BigHaig
    Feb 5, 2004
  2. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,774
    Walter Roberson
    Aug 13, 2004
  3. Allan J. Wilson

    PIX VPN & NAT issue

    Allan J. Wilson, Aug 31, 2004, in forum: Cisco
    Replies:
    1
    Views:
    552
    Dominic
    Sep 21, 2004
  4. Jose
    Replies:
    3
    Views:
    1,942
  5. Matthew Melbourne
    Replies:
    2
    Views:
    7,339
    Matthew Melbourne
    Feb 12, 2005
Loading...

Share This Page