PAT on PIX with 2 internal networks

Discussion in 'Cisco' started by jeffrey_collins, Oct 3, 2006.

  1. I'm trying to setup PAT for another internal network. Currently the
    192.168.5.0/24 and 192.168.8.0/24 networks are behind our pix firewall
    (actually there is a router to handle each subnet).

    When someone tries to access the web from the 192.168.5.0 network, if I
    do a sh capture <capture name> it shows the 192.168.5.0 address
    correctly translated to the outside address of the pix (for example
    10.10.10.2). Everything works fine.

    However, on the 192.168.8.0/24 network, it doesn't work. Their default
    route is to send it to the router at 192.168.5.254, and then it routes
    it to the 192.168.5.1 address on the pix. However, if I watch the
    capture on the outside interface, it always shows the traffic leaving
    with the IP of 192.168.8.x, instead of using the outside IP. So, I
    know it's getting to and leaving the pix, just using the wrong address.
    I'm trying to figure out why it's not translating it for that subnet.


    Here are some lines from my config that may be relevant. Would
    appreciate any help...

    PIX Version 6.3(3)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list inside permit ip 192.168.5.0 255.255.255.0 any
    access-list inside permit ip 192.168.8.0 255.255.255.0 any
    ip address outside 10.10.10.2 255.255.255.240
    ip address inside 192.168.5.1 255.255.255.0
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    static (inside,outside) 192.168.8.0 192.168.8.0 netmask 255.255.255.0 0
    0
    access-group outside in interface outside
    access-group inside in interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    route inside 192.168.8.0 255.255.255.0 192.168.5.254 1
     
    jeffrey_collins, Oct 3, 2006
    #1
    1. Advertisements

  2. You need to modify your config:

    no static (inside,outside) 192.168.8.0 192.168.8.0 netmask 255.255.255.0



    or its' better to configure:

    no static (inside,outside) 192.168.8.0 192.168.8.0 netmask 255.255.255.0
    no nat (inside) 1 192.168.0.0 255.255.0.0 0 0


    nat (inside) 1 access-list pat_inside_vs_out 0 0
    access-list pat_inside_vs_out permit ip 192.168.5.0 255.255.255.0 any
    access-list pat_inside_vs_out permit ip 192.168.8.0 255.255.255.0 any
     
    Roberto Taccon, Oct 3, 2006
    #2
    1. Advertisements

  3. That did the trick. Thanks.

    Jeff

     
    jeffrey_collins, Oct 3, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.