Problem with NAt and Cisco PIX

Discussion in 'Cisco' started by Tony, Dec 5, 2003.

  1. Tony

    Tony Guest

    I cannt seem to be able to get NAT to work with the config below.

    Can someone please help

    -----------------------

    : Saved
    :
    PIX Version 6.2(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security10
    nameif ethernet3 intf3 security15
    nameif ethernet4 intf4 security20
    nameif ethernet5 intf5 security25
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pix
    domain-name xxxxxxxxxx
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list 101 permit ip any any
    access-list 101 permit icmp any any
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable
    pager lines 24
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside dhcp setroute
    ip address inside 10.10.10.1 255.255.255.0
    ip address intf2 127.0.0.1 255.255.255.255
    ip address intf3 127.0.0.1 255.255.255.255
    ip address intf4 127.0.0.1 255.255.255.255
    ip address intf5 127.0.0.1 255.255.255.255
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    failover ip address intf2 0.0.0.0
    failover ip address intf3 0.0.0.0
    failover ip address intf4 0.0.0.0
    failover ip address intf5 0.0.0.0
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group 101 in interface outside
    access-group 101 in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5
    dhcpd address 10.10.10.2-10.10.10.10 inside
    dhcpd dns xxxxxxxxxxxxxxxxxxx
    dhcpd wins xxxxxxxxxxxxxxxxxxx
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain xxxxxxxxxxxxxxxxxxxx
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:9e4b492cd9834ae682ac76f0d05367d0
    : end
     
    Tony, Dec 5, 2003
    #1
    1. Advertising

  2. In article <bqr3e2$3qq$>,
    Tony <> wrote:
    :I cannt seem to be able to get NAT to work with the config below.

    What symptoms are you encountering?

    ;PIX Version 6.2(1)

    :access-list 101 permit ip any any
    :access-list 101 permit icmp any any

    icmp is a subset of ip, so you do not need both.

    :access-list 100 permit icmp any any echo-reply
    :access-list 100 permit icmp any any time-exceeded
    :access-list 100 permit icmp any any unreachable

    You are not using access-list 100

    :ip address outside dhcp setroute
    :ip address inside 10.10.10.1 255.255.255.0

    :global (outside) 1 interface
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Those should be okay.

    :access-group 101 in interface outside
    :access-group 101 in interface inside

    You can run into subtle problems with using the same access list for
    two purposes.

    You probably do not want to permit ip any any to the inside.
    Perhaps you wanted access-group 100 in interface outside

    :icmp permit any outside
    :icmp permit any inside

    It can be dangerous (in a security sense) to allow your PIX to respond
    to arbitrary icmp packets from the 'net.


    I do not see any problems with your NAT, unless perhaps using the same
    access-list number is a problem. What do you see that is not working?
    --
    When your posts are all alone / and a user's on the phone/
    there's one place to check -- / Upstream!
    When you're in a hurry / and propagation is a worry/
    there's a place you can post -- / Upstream!
     
    Walter Roberson, Dec 5, 2003
    #2
    1. Advertising

  3. Tony

    Tony Guest

    My internal host 10.10.10.2 cannot get out to the net

    it can ping the internal interface 10.10.10.1 though


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bqr58s$qka$...
    > In article <bqr3e2$3qq$>,
    > Tony <> wrote:
    > :I cannt seem to be able to get NAT to work with the config below.
    >
    > What symptoms are you encountering?
    >
    > ;PIX Version 6.2(1)
    >
    > :access-list 101 permit ip any any
    > :access-list 101 permit icmp any any
    >
    > icmp is a subset of ip, so you do not need both.
    >
    > :access-list 100 permit icmp any any echo-reply
    > :access-list 100 permit icmp any any time-exceeded
    > :access-list 100 permit icmp any any unreachable
    >
    > You are not using access-list 100
    >
    > :ip address outside dhcp setroute
    > :ip address inside 10.10.10.1 255.255.255.0
    >
    > :global (outside) 1 interface
    > :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > Those should be okay.
    >
    > :access-group 101 in interface outside
    > :access-group 101 in interface inside
    >
    > You can run into subtle problems with using the same access list for
    > two purposes.
    >
    > You probably do not want to permit ip any any to the inside.
    > Perhaps you wanted access-group 100 in interface outside
    >
    > :icmp permit any outside
    > :icmp permit any inside
    >
    > It can be dangerous (in a security sense) to allow your PIX to respond
    > to arbitrary icmp packets from the 'net.
    >
    >
    > I do not see any problems with your NAT, unless perhaps using the same
    > access-list number is a problem. What do you see that is not working?
    > --
    > When your posts are all alone / and a user's on the phone/
    > there's one place to check -- / Upstream!
    > When you're in a hurry / and propagation is a worry/
    > there's a place you can post -- / Upstream!
     
    Tony, Dec 5, 2003
    #3
  4. Tony

    Chris Guest

    "Tony" <> wrote in message
    news:bqr5g3$63v$...
    > My internal host 10.10.10.2 cannot get out to the net
    >
    > it can ping the internal interface 10.10.10.1 though
    >


    Does this host have a default gateway set?

    Chris.
     
    Chris, Dec 7, 2003
    #4
  5. Tony

    JOE CAMPOS Guest

    NBAR or IDSM-2 to stop blaster between vlans?

    Scenario:
    we have 13 floors in our building. All the floors come down into the same
    switch via gig links. Each floor is an individual subnet vlan. That switch
    then communicates to other server farm switches via a gig uplink. The
    problem we want to remedy is how to keep workstations that are infected with
    Blaster or future variants from "blasting" each from floor-to-floor. By this
    I mean, if we have infected machines on the 5th floor then they will bombard
    clients on the other floors. What is the best way to contain this situation?
    Should I use the IDSM-2 to shun these attacks via dynamic VACLs or should I
    use NBAR for this situation or even just private vlans?? Of course private
    vlans will only help on each respective vlan subnet. Also, If I use NBAR
    (IDSM-2 too??) will it block all good traffic as well? I know with NBAR I
    Can have it drop traffic altogether which is the ultimate goal. I have read
    the following SAFE document and it is very good but it still leaves many
    questions unanswered. There is an NBAR sample config there as well.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutio
    ns_white_paper09186a00801b2391.shtml
     
    JOE CAMPOS, Dec 8, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,953
    Walter Roberson
    Aug 13, 2004
  2. Jose
    Replies:
    3
    Views:
    2,001
  3. Matthew Melbourne
    Replies:
    2
    Views:
    7,433
    Matthew Melbourne
    Feb 12, 2005
  4. skweetis
    Replies:
    0
    Views:
    1,241
    skweetis
    Dec 11, 2006
  5. Terry Cole
    Replies:
    0
    Views:
    441
    Terry Cole
    Jan 18, 2007
Loading...

Share This Page