RE: PIX static NAT issue

["Ahmed, Balal" <balal.ahmed () cgey com>]

Cisco have confirmed they are unable to reproduce the issue. 

We have removed the statics, cleared the xlates, reinteserted the xlates and
it now seems to be working.

Yes I have addedd host routes on the PIX to 'host' specifiying the mgt
interface. 'host' is running solaris 8

-----Original Message-----
From: Gene Chapman [mailto:genec () callfusion com]
Sent: 04 June 2003 20:05
To: 'Ahmed, Balal'
Subject: RE: [fw-wiz] PIX static NAT issue


Did you add routes to the PIX 10.10.10.163 use interface .189, and the
opposite on the host?

If so, next question, what O/S is the host running?

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ahmed,
Balal
Sent: Wednesday, June 04, 2003 4:50 AM
To: firewall-wizards () honor icsalabs com
Cc: Ahmed, Balal
Subject: [fw-wiz] PIX static NAT issue


Wizards,

I am having problems with static NAT on a PIX running 6.2.2. An ascii
representation is given below. 'Host' is a dual homed machine. Its
default
gateway is the inside interface of the PIX. It has static routes to
'admins'
through the mgt interface. the statics that are configured are.

static (inside,outside) 10.10.10.21 10.10.10.21 netmask 255.255.255.255
0 0
static (mgt,outside) 10.10.10.163 10.10.10.163 netmask 255.255.255.255 0
0

The behaviour we are seeing is that 'the world' can access the dual
homed
host on 10.10.10.21. 'The admins' can connect on 10.10.10.21 but not on
10.10.10.163. If a clear xlate is performed ONE icmp echo reply comes
back
and then it stops working. When a ping is initiiated on 'host' to
'admins'
connectivity works until the xlate timesout.

Routing on the firewall & host is correct but on checking the logs it
seems
that inbound packets destined for 10.10.10.163 are being sent to the
inside
interface whereas they should be sent to the mgt interface. 

actual IP addresses have been sanitised.

any ideas ?


    the world-----|------admins
                        |
                        |
                        |192.168.1.1/25
                        |outside
                '''''''''''''''''''
backup  '                       'mgt 10.10.10.189/27
    --------'   PIX             '------------   
172.16.1.1/29'                  '               |
                '''''''''''''''''''             |
                        |inside                 |
                        |10.10.10.13/28         |
                        |                               |
                        |                               |
                        |                               |10.10.10.163/27

                        |   10.10.10.21/28'''''''''
                        ----------------        'host     '
                                                '''''''''

                        Balal Ahmed
                        Security Analyst
                        






************************************************************************
********************
" This message contains information that may be privileged or
confidential and 
is the property of the Cap Gemini Ernst & Young Group. It is intended
only for 
the person to whom it is addressed. If you are not the intended
recipient, you 
are not authorized to read, print, retain, copy, disseminate,
distribute, or use 
this message or any part thereof. If you receive this message in error,
please 
notify the sender immediately and delete all copies of this message ".
************************************************************************
********************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards