Firewall Wizards mailing list archives
RE: PIX static NAT issue
From: "Ahmed, Balal" <balal.ahmed () cgey com>
Date: Thu, 5 Jun 2003 10:28:40 +0100
Cisco have confirmed they are unable to reproduce the issue. We have removed the statics, cleared the xlates, reinteserted the xlates and it now seems to be working. Yes I have addedd host routes on the PIX to 'host' specifiying the mgt interface. 'host' is running solaris 8 -----Original Message----- From: Gene Chapman [mailto:genec () callfusion com] Sent: 04 June 2003 20:05 To: 'Ahmed, Balal' Subject: RE: [fw-wiz] PIX static NAT issue Did you add routes to the PIX 10.10.10.163 use interface .189, and the opposite on the host? If so, next question, what O/S is the host running? -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ahmed, Balal Sent: Wednesday, June 04, 2003 4:50 AM To: firewall-wizards () honor icsalabs com Cc: Ahmed, Balal Subject: [fw-wiz] PIX static NAT issue Wizards, I am having problems with static NAT on a PIX running 6.2.2. An ascii representation is given below. 'Host' is a dual homed machine. Its default gateway is the inside interface of the PIX. It has static routes to 'admins' through the mgt interface. the statics that are configured are. static (inside,outside) 10.10.10.21 10.10.10.21 netmask 255.255.255.255 0 0 static (mgt,outside) 10.10.10.163 10.10.10.163 netmask 255.255.255.255 0 0 The behaviour we are seeing is that 'the world' can access the dual homed host on 10.10.10.21. 'The admins' can connect on 10.10.10.21 but not on 10.10.10.163. If a clear xlate is performed ONE icmp echo reply comes back and then it stops working. When a ping is initiiated on 'host' to 'admins' connectivity works until the xlate timesout. Routing on the firewall & host is correct but on checking the logs it seems that inbound packets destined for 10.10.10.163 are being sent to the inside interface whereas they should be sent to the mgt interface. actual IP addresses have been sanitised. any ideas ? the world-----|------admins | | |192.168.1.1/25 |outside ''''''''''''''''''' backup ' 'mgt 10.10.10.189/27 --------' PIX '------------ 172.16.1.1/29' ' | ''''''''''''''''''' | |inside | |10.10.10.13/28 | | | | | | |10.10.10.163/27 | 10.10.10.21/28''''''''' ---------------- 'host ' ''''''''' Balal Ahmed Security Analyst ************************************************************************ ******************** " This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message ". ************************************************************************ ******************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX static NAT issue Ahmed, Balal (Jun 04)
- Re: PIX static NAT issue Luca Berra (Jun 04)
- <Possible follow-ups>
- RE: PIX static NAT issue Ahmed, Balal (Jun 05)